-----Original Message-----
From: Michael Petch [mailto:[EMAIL PROTECTED]
Sent: Saturday, September 06, 2003 11:03 PM
To: [EMAIL PROTECTED]
Subject: RE: (clug-talk) IPTABLES - packet routing is not working
> Can you humour me, and provide the output of the following commands on
all 3 of
> your machines (firewall machine, external test machine, internal test
machine):
> ifconfig
> route -n
> iptables --list -t nat
> iptables --list
========= Linux Red Hat 9 (firewall) machine
********************************************************
[EMAIL PROTECTED] root]# ifconfig
********************************************************
eth0 Link encap:Ethernet HWaddr 00:B0:D0:D1:73:33
inet addr:192.168.1.23 Bcast:192.168.1.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4257 errors:0 dropped:0 overruns:0 frame:0
TX packets:637 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:471977 (460.9 Kb) TX bytes:98144 (95.8 Kb)
Interrupt:11 Base address:0xecc0 Memory:fe102000-fe102038
eth1 Link encap:Ethernet HWaddr 00:60:67:65:ED:CE
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3959 errors:0 dropped:0 overruns:0 frame:0
TX packets:239 errors:0 dropped:0 overruns:0 carrier:0
collisions:92 txqueuelen:100
RX bytes:484724 (473.3 Kb) TX bytes:49711 (48.5 Kb)
Interrupt:10 Base address:0xeca0
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:446169 errors:0 dropped:0 overruns:0 frame:0
TX packets:446169 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30462866 (29.0 Mb) TX bytes:30462866 (29.0 Mb)
********************************************************
[EMAIL PROTECTED] root]# route -n
********************************************************
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0
eth0
********************************************************
[EMAIL PROTECTED] root]# iptables --list -t nat
********************************************************
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
LOG tcp -- anywhere 10.0.0.1 tcp dpt:http
LOG level warning prefix `#WALL:accept(route 80)#'
DNAT tcp -- anywhere 10.0.0.1 tcp dpt:http
to:192.168.1.250:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:10.0.0.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
********************************************************
[EMAIL PROTECTED] root]# iptables --list
********************************************************
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere state
ESTABLISHED LOG level warning prefix `#WALL:accept(EST)#'
ACCEPT tcp -- anywhere anywhere state
ESTABLISHED
LOG icmp -- anywhere anywhere state
RELATED,ESTABLISHED LOG level warning prefix `#WALL:accept(icmp 2)#'
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG tcp -- anywhere anywhere state
NEW,ESTABLISHED LOG level warning prefix `#WALL:accept(EST,NEW)#'
ACCEPT tcp -- anywhere anywhere state
NEW,ESTABLISHED
LOG udp -- anywhere anywhere udp
spts:32769:65535 dpts:traceroute:33523 state NEW LOG level warning
prefix `#WALL:accept(udp)#'
ACCEPT udp -- anywhere anywhere udp
spts:32769:65535 dpts:traceroute:33523 state NEW
LOG icmp -- anywhere anywhere state
NEW,RELATED,ESTABLISHED LOG level warning prefix `#WALL:accept(icmp 1)#'
ACCEPT icmp -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
========= Windows NT (client) machine
********************************************************
step3 - C:/ > ipconfig /All
********************************************************
Windows NT IP Configuration
Host Name . . . . . . . . . : step3
DNS Servers . . . . . . . . : 199.185.220.36
199.185.220.52
Node Type . . . . . . . . . : Broadcast
NetBIOS Scope ID. . . . . . :
IP Routing Enabled. . . . . : No
WINS Proxy Enabled. . . . . : No
NetBIOS Resolution Uses DNS : No
Ethernet adapter El90xnd1:
Description . . . . . . . . : 3Com 3C90x Ethernet Adapter
Physical Address. . . . . . : 00-10-4B-72-B9-4B
DHCP Enabled. . . . . . . . : No
IP Address. . . . . . . . . : 10.0.0.2
Subnet Mask . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . : 10.0.0.1
********************************************************
step3 - C:/ > route PRINT
********************************************************
========================================================================
===
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 10 4b 72 b9 4b ...... 3Com 3C90x Ethernet Adapter
========================================================================
===
========================================================================
===
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2
1
10.0.0.0 255.255.255.0 10.0.0.2 10.0.0.2
1
10.0.0.2 255.255.255.255 127.0.0.1 127.0.0.1
1
10.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2
1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
224.0.0.0 224.0.0.0 10.0.0.2 10.0.0.2
1
255.255.255.255 255.255.255.255 10.0.0.2 10.0.0.2
1
========================================================================
===
========= Windows 2000 (server) machine
********************************************************
exchange - C:/ > ipconfig /All
********************************************************
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : exchange
Primary DNS Suffix . . . . . . . : gestalt.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gestalt.com
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VIA Rhine II Fast Ethernet
Adapter
Physical Address. . . . . . . . . : 00-0A-E6-1A-28-EB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.250
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.250
********************************************************
exchange - C:/ > route PRINT
********************************************************
========================================================================
===
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 0a e6 1a 28 eb ...... VIA Rhine II Fast Ethernet Adapter
========================================================================
===
========================================================================
===
Active Routes:
Network Destination Netmask Gateway Interface
Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.250
1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1
1
192.168.1.0 255.255.255.0 192.168.1.250 192.168.1.250
1
192.168.1.250 255.255.255.255 127.0.0.1 127.0.0.1
1
192.168.1.255 255.255.255.255 192.168.1.250 192.168.1.250
1
224.0.0.0 224.0.0.0 192.168.1.250 192.168.1.250
1
255.255.255.255 255.255.255.255 192.168.1.250 192.168.1.250
1
Default Gateway: 192.168.1.1
========================================================================
===
Persistent Routes:
None
For obvious reason, I cannot provide you with output from IPTABLES on
Windows-based machines.
Also, I had to run ipconfig on Windoze rather than ifconfig.
> You by chance aren't running a firewall on your test webserver system?
(The above commands
> would reveal that). The info abve may be verkill but It would help me
out.
The only machine running firewall is the Linux host.
> To be honest this should be working for you, and your rules seem fine.
This is what baffles me. I am a novice in Linux, so I tend to follow
directions precisely ("familiarity breeds contempt" applies to me like
to everyone else, but Linux is exactly the case when familiarity is not
there yet). So, I bought myself "Red Hat Linux Firewalls" book by Bill
McCarty, and tried to do everything by this book - but something,
somewhere is obviously screwed up. If I only knew where... :-(
Thank you for your help.
Regards,
Alex.
