[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[no subject]

The problem was that my DSL router did not refresh its ARP cache when I 
moved the machines behind the firewall. I cleared its cache and now all 
is well.

-C

On Aug 5, 2004, at 8:51 PM, Chris Woodfield wrote:

> Ok, I've poked at this some more, and I came upon a rather obvious 
> solution...I needed to define each public IP as an alias to the 
> firewall's outside interface. If only things were that simple... :(
>
> Now what I'm noticing is this: I currently have one of my hosts behind 
> the firewall via static NAT (192.168.0.43 private IP, 216.27.162.43 
> public), and a host outside the firewall (216.27.162.41).
>
> The *really* odd part is that I can successfully traverse the firewall 
> and access my outside host for all protocols except ICMP. What's 
> stranger is that I can't get anywhere else other than a host outside 
> the firewall. But if I fall back to a MASQERADE rule, everything works 
> properly.
>
> Here's what I see in the /proc/net/ip_conntrack when I try to access a 
> host outside my local network:
>
> tcp      6 45 SYN_SENT src=192.168.0.43 dst=17.250.248.77 sport=63520 
> dport=80 [UNREPLIED] src=17.250.248.77 dst=216.27.162.43 sport=80 
> dport=63520 use=1
>
> Next, I ran tcpdump while trying to access a local and a remote host. 
> Here's what I found:
>
> Accessing local host via ssh:
>
> 20:45:34.104717 216.27.162.41.22 > 216.27.162.43.63908: . ack 879 win 
> 7616 <nop,nop,timestamp 266366176 3352729108> (DF)
> 20:45:34.164818 216.27.162.41.22 > 216.27.162.43.63908: P 
> 932:1524(592) ack 879 win 7616 <nop,nop,timestamp 266366236 
> 3352729108> (DF)
>
> ssh is succcessful, tcpdump sees packets in both directions.
>
> Accessing local host via ssh:
>
> 20:46:57.413268 216.27.162.43.63911 > 64.94.1.34.22: S 
> 2611093937:2611093937(0) win 32768 <mss 1460,nop,wscale 
> 0,nop,nop,timestamp 3352729274 0> (DF) [tos 0x10]
> 20:46:59.968362 216.27.162.43.63911 > 64.94.1.34.22: S 
> 2611093937:2611093937(0) win 32768 <mss 1460,nop,wscale 
> 0,nop,nop,timestamp 3352729279 0> (DF) [tos 0x10]
>
> tcpdump only sees packets going out, none coming back.
>
> Is there anything else I'm missing here? This is starting to look more 
> like a kernel bug than anything...I'm running 2.4.25.
>
> Thanks,
>
> -C
>
> On Aug 5, 2004, at 2:47 PM, Christopher Woodfield wrote:
>
>> Hello,
>>
>> I tried to set up static NAT rules on my iptables firewall, and was 
>> not able to get it to work. A possible cause of the problem (which I 
>> haven't been able to test yet) is that I have a series of 
>> port-specific rules for each host in addition to the SNAT and DNAT 
>> rules.
>>
>> Here are my SNAT/DNAT rules. $HOSTNAME variables are public IPs and 
>> $HOSTNAME_NAT are private IPs; $INETIF is the outside interface and 
>> $LANIF is the inside:
>>
>> # Set up Static SNAT entries (private to public)
>> $IPTABLES -t nat -A POSTROUTING -o $INETIF -s $TINO_NAT -j SNAT 
>> --to-source $TINO
>> $IPTABLES -t nat -A POSTROUTING -o $INETIF -s $ELECTRO_NAT -j SNAT 
>> --to-source $ELECTRO
>> $IPTABLES -t nat -A POSTROUTING -o $INETIF -s $TWEEK_NAT -j SNAT 
>> --to-source $TWEEK
>>
>> # Set up Static DNAT entries (public to private)
>> $IPTABLES -t nat -A PREROUTING -i $INETIF -d $TINO -j DNAT 
>> --to-destination $TINO_NAT
>> $IPTABLES -t nat -A PREROUTING -i $INETIF -d $ELECTRO -j DNAT 
>> --to-destination $ELECTRO_NAT
>> $IPTABLES -t nat -A PREROUTING -i $INETIF -d $TWEEK -j DNAT 
>> --to-destination $TWEEK_NAT
>> #
>>
>> Then I have a series of port rules, an example is below:
>>
>> # ssh
>> $IPTABLES -A FORWARD -p tcp -i $INETIF -o $LANIF -d $TINO_NAT --dport 
>> 22 -j ACCEPT
>>
>> Are rules like these evaluated before or after the DNAT 
>> transformation is done? That is, should the -d on these rules be 
>> $TINO_NAT or $TINO?
>>
>> Thanks,
>>
>> -C
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
&gt;&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
&gt;
&gt; _______________________________________________
&gt; Ale mailing list
&gt; Ale at ale.org
&gt; <a  rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>


</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00152" href="msg00152.html">[ale] iptables problems...static NAT and filtering rules...</a></strong>
<ul><li><em>From:</em> rekoil at semihuman.com (Christopher Woodfield)</li></ul></li>
<li><strong><a name="00176" href="msg00176.html">[ale] iptables problems...static NAT and filtering rules...</a></strong>
<ul><li><em>From:</em> rekoil at semihuman.com (Chris Woodfield)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00176.html">[ale] iptables problems...static NAT and filtering rules...</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00178.html">[ale] CD-bootable distro (besides Knoppix)?</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00176.html">[ale] iptables problems...static NAT and filtering rules...</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00154.html">[ale] Distro for Mom?</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00177"><strong>Date</strong></a></li>
<li><a href="threads.html#00177"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>