On September 8, 2003 03:07 pm, Alexandr Molochnikov wrote: > Further to my report on progress (or lack of thereof): I inspected > access.log file mainatined by Apache Web server running on that machine. > To refresh, here is the current setup on our network: > > Client machine IP = 10.0.0.2 > Linux dual-homed machine: IP1 = 10.0.0.1, IP2 = 192.168.1.23 > Web server machine IP = 192.168.1.250 > > The Linux machine is supposed to do NAT and map all packets destined for > 10.0.0.1:80 to 192.168.1.250:80. > > When the Linux machine is powered off, the client (10.0.0.2) cannot ping > the server (192.168.1.250), and cannot connect to the web server either. > No surprise so far. > > When the Linux machine is on, the client can ping the server, and the > client's attempt to contact the web server is logged in access.log file > on the server machine (IP 10.0.0.2 is shown in the HTTP request log > record). The point of the matter is that IPTABLES was not running on the > router at that time! And when IPTABLES was running, the web server STILL > recorded the HTTP request coming from 10.0.0.2. In both cases, the > response from the web server was never received, and the client's > browser just timed out. > > I thought that the packets cannot get from one NIC to another without > NAT provided by IPTABLES. Could there be something that shortcircuits > IPTABLES when it runs, and thus effectively disables packet forwarding? >
Well, not exactly. Iptables gives you packet filtering not routing, the kernel can route by itself without iptables (if enabled with /proc/sys/net/ipv4/ip_forward I believe). Your linux box has 2 nics in it, one on the 10.0.0.0 network and one on the 192.168.0.0 network, so it already knows that it is able forward packets from one network to the other. I originally assumed you were using iptables because eventually your web server will be accessable from the internet and you want the server protected by a firewall, correct? In that case you do need iptables to nat to your public IP address because your web server will have a private,unroutable IP. It sounds like the server is receiving the requests fine but for some reason the client isn't getting any replies. To me it seems either the webserver is not sending the replies to the right place or the linux box is not returning them (but it should since it got the packets to the web server in the first place). You might want to try running a packet analyzer like ethereal (http://www.ethereal.com/) on your machines to find out what's really going on. > Can anyone shed some light to this mystery? > > Thanks, > > Alex. Regards, ~Scott
