LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Strange problem about iptables DNAT. (https://www.linuxquestions.org/questions/linux-networking-3/strange-problem-about-iptables-dnat-66124/)

zufeng 06-17-2003 08:54 AM
Strange problem about iptables DNAT.
 
Hi,

I have a Linux box with RedHat 9.0 installed, this box is a firewall&proxy. Now I want external user can access my internal web server via the firewall box.

According to RedHat 9.0's manual and the posts in internet, I used the following command.

#iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.0.5:80

But I can't access the internal web server.

use tcpdump to get the following packets:

21:57:18.274817 192.168.0.85.1331 > 218.77.120.200.25460: udp 49
21:57:18.450579 218.77.120.200 > 192.168.0.85: icmp: 218.77.120.200 udp port 25460 unreachable [tos 0xc0]
21:57:18.968829 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:18.969963 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:19.057680 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1452,nop,nop,sackOK> (DF)
21:57:19.718043 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:19.749255 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:20.468067 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:20.528584 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:22.020715 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:23.444576 arp who-has 192.168.0.85 tell 192.168.0.1
21:57:23.444815 arp reply 192.168.0.85 is-at 0:e0:4c:ef:55:f8
21:57:23.533007 218.17.247.6.http > 192.168.0.85.1383: R 562882410:562882410(0) ack 2793007952 win 0
21:57:24.054574 arp who-has 192.168.0.5 tell 192.168.0.1
21:57:24.054674 arp reply 192.168.0.5 is-at 0:30:48:23:4:33
21:57:27.919595 0.00:30:48:23:04:33.4010 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64]
21:57:28.024632 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:29.248044 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:29.248486 192.168.0.100.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)
21:57:33.839985 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:34.581878 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:35.332929 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:40.026871 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:43.191397 arp who-has 192.168.0.5 tell 192.168.0.4
21:58:18.987637 arp who-has 192.168.0.5 tell 192.168.0.222

As I said, this box is a proxy too, so the above packets maybe contain unuseful message to analysis where the problem is.

Anyway, anybody can help me?

thanks,

dorian33 06-28-2003 11:09 AM
The rule seems to be ok on condition that earlier rules don't drop the packets.
But you need also a rules for forwarding the packets.

For instance:
iptables -A FORWARD -m state --state NEW -i $INT_IF -p tcp --dport 80 -j ACCEPT
for forwarding the packets to internal box
and
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
for forwarding packets from internal LAN boxes


All times are GMT -5. The time now is 09:38 AM.