Strange problem about iptables DNAT.
Hi,
I have a Linux box with RedHat 9.0 installed, this box is a firewall&proxy. Now I want external user can access my internal web server via the firewall box.
According to RedHat 9.0's manual and the posts in internet, I used the following command.
#iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.0.5:80
But I can't access the internal web server.
use tcpdump to get the following packets:
21:57:18.274817 192.168.0.85.1331 > 218.77.120.200.25460: udp 49
21:57:18.450579 218.77.120.200 > 192.168.0.85: icmp: 218.77.120.200 udp port 25460 unreachable [tos 0xc0]
21:57:18.968829 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:18.969963 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:19.057680 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1452,nop,nop,sackOK> (DF)
21:57:19.718043 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:19.749255 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:20.468067 192.168.0.5.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:20.528584 0.00:30:48:23:04:33.455 > 0.ff:ff:ff:ff:ff:ff.455: ipx-netbios 50
21:57:22.020715 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:23.444576 arp who-has 192.168.0.85 tell 192.168.0.1
21:57:23.444815 arp reply 192.168.0.85 is-at 0:e0:4c:ef:55:f8
21:57:23.533007 218.17.247.6.http > 192.168.0.85.1383: R 562882410:562882410(0) ack 2793007952 win 0
21:57:24.054574 arp who-has 192.168.0.5 tell 192.168.0.1
21:57:24.054674 arp reply 192.168.0.5 is-at 0:30:48:23:4:33
21:57:27.919595 0.00:30:48:23:04:33.4010 > 0.ff:ff:ff:ff:ff:ff.452:ipx-sap-resp[|ipx 64]
21:57:28.024632 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:29.248044 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:29.248486 192.168.0.100.netbios-dgm > 192.168.0.255.netbios-dgm: NBT UDP PACKET(138)
21:57:33.839985 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:34.581878 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:35.332929 192.168.0.100.netbios-ns > 192.168.0.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
21:57:40.026871 61.144.148.161.50660 > 192.168.0.5.http: S 5685372:5685372(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
21:57:43.191397 arp who-has 192.168.0.5 tell 192.168.0.4
21:58:18.987637 arp who-has 192.168.0.5 tell 192.168.0.222
As I said, this box is a proxy too, so the above packets maybe contain unuseful message to analysis where the problem is.
Anyway, anybody can help me?
thanks,
|