Nat-ing, Routing trouble
First of all i want to say hello, i have been reading the forums for a long time and they have helped me alot.
Now with the trouble.
I have the following setup
bridge0 with slaves eth0 and eth1 ( traffic passes thru the bridge basicly unfiltered, and it does cross as xx.xx.xx.1 can see the other machines )
ip_forward and bridge-nf-call-iptables are both activated (1)
on eth0 there is a single ip , which is the gateway ( xx.xx.xx.1)
on eth1 is the rest of the network, xx.xx.xx.x/23
the current server sits between the gateway and the rest of the network to perfom trafic shaping ( and various other stuff )
the current server is NOT the gateway ( it actualy ends in .252 and is set on br0 )
iptables:
FORWARD: policy ACCEPT
INPUT: policy drop, and state RELATED,ESTABLISHED accepted.
input -p tcp/udp --dport 30000 -j ACCEPT
nat table
POSTROUTING:
-s xx.xx.xx.8/32 -d xx.xx.xx.177/32 -j SNAT --to xx.xx.xx.252 ( current server )
PREROUTING:
-p tcp -s xx.xx.xx.8/32 -d xx.xx.xx.252/32 --dport 30000 -j DNAT --to xx.xx.xx.177:80
The Trouble !
All i want is for the above rule to have effect
as the gateway is out of my control ( xx.xx.xx.1 ) i must do nat on the current machine
now the packets enter the prerouting table, the destinations probably gets changed ( unknown )
the packets match the rule ( i see a count for them ) but they do not ever leave the machine.
the postrouting rule never activates, and using tcpdump the packets never get forwarded to the .177 host
Any ideeas ?
I have used tcpdump to watch if the packets leave ANY interface ( actualy i watched them all ) and they do not leave towards the .177 host.
the .177 host is alive and well as i am able to access it manualy.
I am using Slackware 13.1 with the kernel updated to 2.6.37.4 ( the original kernel was 2.6.33.4 )
can it be because of the kernel update ?
I must add that the same rules have worked on a slackware 12.1 with the distro's kernel.
Can it be that i have to add aditional rules to the bridging interface (ebtables) ? ( they're all default )
ps: while i can simply copy/paste firewall codes i prefer pseudo-code.
ps2: my english sucks so please don't flame me about it.
ps3: while i have updated the kernel/modules, nothin else got updated, that includes iptables.
Last edited by naghi32; 03-21-2011 at 08:32 AM.
|