LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 08-13-2008, 11:23 PM   #1
borborygmis
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Rep: Reputation: 0
iptables masquerade nat portforwarding problem


My setup:

Linux box1:
ppp0
ath0 (AP - wireless)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward


Linux box2:
ath0 (sta to box 1 ath0)
eth1 (dhcp server to switch)
iptables -t nat -A POSTROUTING -o ath0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
webserver listening on port 80



Now this works fine for using the internet (computer gets lease from box2 eth1) but the problem comes in when directing incoming port 80 traffic destined for the ppp0 interface on box1 to the ath0 of box2.

I have tried variations on box1 of the rule:
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to <ath0-box2-ip>:80

The webserver does respond on this address from box1 to box2 through telnet but gets a connection refused when going to the ppp0 address from anywhere (port 80).
 
Old 08-13-2008, 11:43 PM   #2
grepmasterd
Member
 
Registered: Aug 2003
Location: Seattle
Distribution: ubuntu, lately
Posts: 182
Blog Entries: 1

Rep: Reputation: 35
tcpdump is your friend.

do you see (using tcpdump) the connection attempt on ppp0? if not, then it's not your setup, it's something upstream. if you do, then try tcpdump on ath0 on box 2.

this will let you narrow down where the session is getting rejected.
 
Old 08-13-2008, 11:58 PM   #3
borborygmis
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by grepmasterd View Post
tcpdump is your friend.

do you see (using tcpdump) the connection attempt on ppp0? if not, then it's not your setup, it's something upstream. if you do, then try tcpdump on ath0 on box 2.

this will let you narrow down where the session is getting rejected.
I can connect to the server in various ways:

1. internet -> ppp0 -> webserver (on box1 - just a temporary server)
2. box1 -> box2 -> webserver (box2)
3. switch computer -> eth1(box2) -> webserver (box2)
4. switch computer -> eth1(box2) -> ath0(box2) -> ath0(box1) -> webserver

Those all work so it seems like the iptables rules need to be adjusted and a upstream issue doesn't exist.
 
Old 08-14-2008, 12:10 AM   #4
grepmasterd
Member
 
Registered: Aug 2003
Location: Seattle
Distribution: ubuntu, lately
Posts: 182
Blog Entries: 1

Rep: Reputation: 35
hm, ok. insert a LOG rule just before the DNAT rule, so that the chain looks like this:

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j LOG
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to <ath0-box2-ip>:80

this should log connection attempts in /var/log/messages or /var/log/syslog. it'll help you see if the rule is getting engaged.

(I don't think you need the :80 at the end of your DNAT rule, but I don't think it hurts either. in any case, simpler is always better)
 
Old 08-14-2008, 12:30 AM   #5
borborygmis
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Original Poster
Rep: Reputation: 0
I did a sniff on ath0 box1 and got this (x's are ppp0 ip):

10.66.66.55:53813 -> x.x.x.x:80
x.x.x.x:80 -> 10.66.66.55:53813


This request was from the switch through box2 to box1 and back to box2 (i think).
switch -> (eth1 -> ath0) -> (ath0 -> ppp0 -> ath0) -> (ath0)

So that is totally wrong...

Also, I just figured out that a request from an external source (internet) works just fine now with the original rules (must have overlooked). So, theres a funky route happening with local requests to the public ip.
 
Old 08-14-2008, 01:51 AM   #6
KinnowGrower
Member
 
Registered: May 2008
Location: Toronto
Distribution: Centos && Debian
Posts: 341

Rep: Reputation: 34
please try this link

http://www.linuxhomenetworking.com/w...s_The_Firewall

may be helpful
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
portforwarding with iptables muhammednavas Linux - Security 1 08-28-2007 12:49 PM
client email problem with iptables masquerade amado Linux - Networking 2 10-13-2004 10:46 AM
iptables - true nat AND masquerade rebuke Linux - Security 3 11-11-2003 02:02 PM
IPTABLES and PortForwarding ComFox Linux - Networking 1 09-09-2002 04:37 PM
Portforwarding with Iptables toxic Linux - Security 2 02-14-2002 11:52 PM


All times are GMT -5. The time now is 05:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration