Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 10-13-2006, 11:31 AM   #1
LQ Newbie
Registered: Oct 2006
Posts: 2

Rep: Reputation: 0


So, I had to rebuild my RH9 machine after a hardware fault and chose CentOS 4.4. All was looking good and then I realised I didn't have a backup of my firewall script. No big deal, I used a pretty standard one but the customised NAT/MASQ was not backed up anywhere.

So I have put some NAT/MASQ commands in but I cannot resolve an issue for traffic on one port I am configuring. Although I have put the recommended lines into the script, I can still see packets being dropped in my /var/log/messages file.

Here's the scoop...


ExtIF is eth1 on my gateway, IP
IntIF is eth0 on my gateway, IP
IP of my local machine is
NAT of to external machines on port 1412
lines in my firewall script for NAT:


$IPTABLES -A FORWARD -j drop-and-log-it


$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 1412 -j DNAT --to
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp -d $EXTIP --dport 1412 -j DNAT --to
It would appear that my IP is being forwarded out but traffic returning is being dropped (entries in /var/log/messages):

Oct 13 17:00:00 host kernel: IN=eth1 OUT=eth0 SRC=999.999.999.999 DST= LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=34746 DF PROTO=TCP SPT=2900 DPT=1412 WINDOW=64240 RES=0x00 SYN URGP=0
(actual external IP replaced with 999.999.999.999)

I am unsure whether I need to add other rules regarding established packets etc. but if anyone can enlighten me to my error/omission, I would be grateful.


Old 10-13-2006, 11:44 AM   #2
Senior Member
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
The packet example you showed in your log example is a SYN packet which is the first packet of a NEW connection, and you don't have a rule to ACCEPT NEW packets..

The NEW rule needs to be just for that port. Otherwise everything gets in..

A better listing comes from iptables-save.
This shows what is active and in actual sequence..

Last edited by peter_robb; 10-13-2006 at 11:54 AM.
Old 10-22-2006, 04:46 AM   #3
LQ Newbie
Registered: Oct 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks Peter


centos4, firewall, iptables, masquerading

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/ z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 04:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

All times are GMT -5. The time now is 04:09 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration