From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jorge Davila Subject: Re: SNAT trouble: Linux box ignores incoming packets Date: Thu, 16 Aug 2007 15:38:00 -0600 Message-ID: References: <278283523.20070816185903@tsvrn.ru> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <278283523.20070816185903@tsvrn.ru> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: admin , netfilter@lists.netfilter.org Sorry admin: I tried to read your rules .. but reading is some sort of "guessing" about = what address spaces is linked with what interface. What public interfaces is using the LAN (eth2 or eth3). eth1 is useless in = your configuration? The LAN is supossed to send the traffic via eth2 or eth3? What we can see=20 with ip a ip r ? Jorge D=E1vila. On Thu, 16 Aug 2007 18:59:03 +0400 admin wrote: > I've got a rather bizarre configuration: Linux box has 4 ethernet > devices (eth0, eth1, eth2, and eth3). eth2 and eth3 are looking to > Internet, eth0 is LAN. >=20 > I've configured SNAT so that it should give Internet access to the > 192.168.91.0/24 network. Outgoing packets are translated right, and > the external server sends a reply. However, the reply packet seems to > be killed by iptables or otherwise ignored by the box (wireshark > shows it, but the packet isn't going anywhere else). Having said that, > I should notice that SNAT for tcp port 4000 works fine (this one is > for an outgoing connection from the box to 192.168.91.254. I know this > string should be modified but this is not the main trouble for now). >=20 > IP forwarding is turned on, and iptables look > like this: >=20 > # Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007 > *nat > :PREROUTING ACCEPT [70:7232] > :POSTROUTING ACCEPT [1:73] > :OUTPUT ACCEPT [1:73] > -A POSTROUTING -p ip -s 192.168.92.0/255.255.255.0 -d ! 192.168.92.0/24 -= j=20 >SNAT --to-source > -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -= j=20 >LOG --log-prefix "SNAT "=20 > -A POSTROUTING -p ip -s 192.168.91.0/255.255.255.0 -d ! 192.168.91.0/24 -= j=20 >SNAT --to-source > -A POSTROUTING -p tcp -s ! 192.168.91.0/24 -d 192.168.91.0/24 --dport 400= 0=20 >-j SNAT --to-source 192.168.91.223 > -A PREROUTING -d -p tcp -m tcp --dport 4000 -j DNAT=20 >--to-destination 192.168.91.254 > -A OUTPUT -d -p tcp -m tcp --dport 4000 -j DNAT --to-destination= =20 >192.168.91.254:4000 > COMMIT > # Completed on Thu Aug 16 14:10:37 2007 > # Generated by iptables-save v1.3.7 on Thu Aug 16 14:10:37 2007 > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [7063:2716993] > :FWFORWARD - [0:0] > :FWINPUT - [0:0] > :INPUTDMZ - [0:0] > :INPUTINET - [0:0] > :INPUTETH2 - [0:0] > :INPUTETH3 - [0:0] > :INPUTLAN - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -j FWINPUT=20 > -A FORWARD -j FWFORWARD=20 > -A OUTPUT -j ACCEPT > -A FWFORWARD -p tcp -d 192.168.91.254 --dport 4000 -j ACCEPT > -A FWFORWARD -i eth2 -j DROP=20 > -A FWFORWARD -i eth3 -j DROP=20 > -A FWFORWARD -p ip -d 192.168.92.0/255.255.255.0 -j DROP=20 > -A FWFORWARD -p ip -d 192.168.91.0/255.255.255.0 -j DROP=20 > -A FWFORWARD -j ACCEPT=20 > -A FWINPUT -i lo -j ACCEPT=20 > -A FWINPUT -p icmp -j ACCEPT > -A FWINPUT -i eth0 -j INPUTLAN=20 > -A FWINPUT -i eth1 -j INPUTDMZ=20 > -A FWINPUT -i eth2 -j INPUTINET > -A FWINPUT -i eth3 -j INPUTINET > -A FWINPUT -j DROP=20 > -A INPUTDMZ -p ip -s ! 192.168.92.0/255.255.255.0 -j DROP=20 > -A INPUTDMZ -p ip -d 192.168.91.0/24 -j DROP > -A INPUTDMZ -j ACCEPT=20 > -A INPUTINET -d 192.168.91.0/24 -j ACCEPT > -A INPUTINET -d -j INPUTETH2 > -A INPUTINET -d -j INPUTETH3 > -A INPUTINET -j DROP > -A INPUTETH2 -p tcp -m tcp --dport 80 -j ACCEPT=20 > -A INPUTETH2 -p tcp -m tcp --dport 25 -j ACCEPT=20 > -A INPUTETH2 -p tcp -m tcp --dport 110 -j ACCEPT=20 > -A INPUTETH2 -p udp -m udp --dport 53 -j ACCEPT=20 > -A INPUTETH2 -j DROP=20 > -A INPUTETH3 -p tcp -m tcp --dport 80 -j ACCEPT=20 > -A INPUTETH3 -p udp -m udp --dport 53 -j ACCEPT=20 > -A INPUTETH3 -p tcp -m tcp --dport 4000 -j ACCEPT > -A INPUTETH3 -p tcp -m tcp --dport 6112 -j ACCEPT > -A INPUTETH3 -p tcp -m tcp --dport 6200 -j ACCEPT > -A INPUTETH3 -p tcp -m tcp --dport 6113 -j ACCEPT > -A INPUTETH3 -j DROP=20 > -A INPUTLAN -p tcp -m tcp --dport 25 -j ACCEPT=20 > -A INPUTLAN -p tcp -m tcp --dport 110 -j ACCEPT=20 > -A INPUTLAN -p tcp -m tcp --dport 3128 -j ACCEPT=20 > -A INPUTLAN -p ip -s 192.168.91.222 -j ACCEPT=20 > -A INPUTLAN -p ip -s 192.168.91.254 -j ACCEPT=20 > -A INPUTLAN -p ip -s 192.168.91.88 -j ACCEPT=20 > -A INPUTLAN -p ip -s 192.168.91.233 -j ACCEPT=20 > -A INPUTLAN -p ip -s 192.168.91.0/24 -d ! 192.168.92.0/24 -j ACCEPT=20 > -A INPUTLAN -j DROP=20 > COMMIT > # Completed on Thu Aug 16 14:10:37 2007 >=20 >=20 >=20 Jorge Isaac Davila Lopez Nicaragua Open Source +505 430 5462 davila@nicaraguaopensource.com