Hello All:
have some questions about about fowarding packets
I am trying to foward packets to a DMZ at 192.168.3.2
I can see the packets hit the NAT table through iptables -v and watching the packet count go up, and I can see that the froward chain accepts the packet through same method.
I am under the impression that FORWARD should place them directly on the line. Is there another step to place them on the line?
The server at the DMZ does not show any incomming packets through iptables -v, nor does apache logs show access. Thanks in advance for your help.
I am sending requests through a anon-proxy to make sure packets go out and back in.
noc:/proc/sys/net/ipv4# iptables --list -v
Chain INPUT (policy DROP 405 packets, 19894 bytes)
pkts bytes target prot opt in out source destination
8902 3101K bad_tcp_packets tcp -- any any anywhere anywhere
199 17840 icmp_packets icmp -- eth0 any anywhere anywhere
1494 600K ACCEPT all -- eth2 any anywhere 192.168.3.1
0 0 ACCEPT all -- eth1 any anywhere 192.168.2.1
3355 983K ACCEPT all -- lo any noc.zionsecure.com anywhere
0 0 ACCEPT all -- lo any 192.168.2.1 anywhere
0 0 ACCEPT all -- lo any adsl-068-209-111-012.sip.mia.bellsouth.net anywhere
0 0 ACCEPT udp -- eth1 any anywhere anywhere udp spt:bootpc dpt:bootps
70 22960 ACCEPT udp -- eth2 any anywhere anywhere udp spt:bootpc dpt:bootps
2202 1375K ACCEPT all -- any any anywhere adsl-068-209-111-012.sip.mia.bellsouth.netstate RELATED,ESTABLISHED
202 9886 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT INPUT packet died: '
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
51 3024 bad_tcp_packets tcp -- any any anywhere anywhere
0 0 ACCEPT all -- eth2 eth0 anywhere anywhere
0 0 ACCEPT all -- eth0 eth2 anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth2 anywhere anywhere
0 0 ACCEPT all -- eth2 eth1 anywhere anywhere state RELATED,ESTABLISHED
51 3024 allowed tcp -- eth0 eth2 anywhere 192.168.3.2 tcp dpt:www
0 0 icmp_packets icmp -- eth0 eth2 anywhere 192.168.3.2
0 0 allowed tcp -- eth0 eth2 anywhere 192.168.3.3 tcp dpt:domain
0 0 ACCEPT udp -- eth0 eth2 anywhere 192.168.3.3 udp dpt:domain
0 0 icmp_packets icmp -- eth0 eth2 anywhere 192.168.3.3
0 0 ACCEPT all -- eth1 any anywhere anywhere
0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT FORWARD packet died: '
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8523 1928K bad_tcp_packets tcp -- any any anywhere anywhere
3355 983K ACCEPT all -- any any noc.zionsecure.com anywhere
0 0 ACCEPT all -- any any 192.168.2.1 anywhere
4309 913K ACCEPT all -- any any adsl-068-209-111-012.sip.mia.bellsouth.net anywhere
1910 143K ACCEPT tcp -- any eth2 192.168.3.1 192.168.3.2 tcp multiport dports ssh,www
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level debug prefix `IPT OUTPUT packet died: '
Chain allowed (2 references)
pkts bytes target prot opt in out source destination
51 3024 ACCEPT tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 DROP tcp -- any any anywhere anywhere
Chain bad_tcp_packets (3 references)
pkts bytes target prot opt in out source destination
1769 147K ACCEPT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:ssh
0 0 ACCEPT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:10000
558 126K ACCEPT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:https
0 0 REJECT tcp -- any any anywhere anywhere state NEW tcp flags:SYN,ACK/SYN,ACK reject-with tcp-reset
0 0 LOG tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN LOG level warning prefix `New not syn:'
0 0 DROP tcp -- any any anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
Chain icmp_packets (3 references)
pkts bytes target prot opt in out source destination
186 17112 ACCEPT icmp -- any any anywhere anywhere icmp echo-request
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
noc:/proc/sys/net/ipv4# iptables --list -t nat -v
Chain PREROUTING (policy ACCEPT 630 packets, 42066 bytes)
pkts bytes target prot opt in out source destination
21 1248 DNAT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:www to:192.168.3.2
0 0 DNAT tcp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.nettcp dpt:domain to:192.168.3.3
0 0 DNAT udp -- eth0 any anywhere adsl-068-209-111-012.sip.mia.bellsouth.netudp dpt:domain to:192.168.3.3
Chain POSTROUTING (policy ACCEPT 215 packets, 13400 bytes)
pkts bytes target prot opt in out source destination
123 15226 SNAT all -- any eth0 anywhere anywhere to:68.209.111.12
Chain OUTPUT (policy ACCEPT 329 packets, 28098 bytes)
pkts bytes target prot opt in out source destination
noc:/proc/sys/net/ipv4#