Ray Olszewski wrote:
At 09:36 AM 9/16/2003 -0700, Matt Schalit wrote:
I had to subscribe to leaf-user for this one,
A fate worse that death? Surely not. Welcome back, Matt.
More like scary. Every day I know less. Darn that fight against ignorance. You guys win ;-)
As to your problem (described below) ... remember that in iptables (unlike the older ipchains), prerouting happens first, so the forward rule you describe rewrites packets with (for example) DEST 63.194.213.179:6881 to DEST 10.2.3.4:6881 . This happens *before* the packet hits the more general iptables rulesets (including the one that triggers the DENY, or maybe REJECT, that gets logged). This answers your #1 and #4 below; Tom's separate answer has addressed your #2 and #3 better than I ever can.
The question you should focus on now is why Shorewall is blocking traffic to 10.2.3.4, if that is a legit address on your LAN. It suggests to me a misconfiguration of Shorewall. Figuring that part out requires knowing the details of your LAN setup, but perhaps with the help of Tom's comments on Shorewall details, you'll be able to work that detail out. If not, tell us more ... you know the routine.
Okay thanks for the bump about prerouting. I noted in my reply to Tom that I successfully use BitTorrent, and gigabytes of SYN connections pass through my ruleset as requested in /etc/shorewall/rules:
# BitTorrent to Xena DNAT net loc:10.2.3.4 tcp 6881:6999
That's not a typo, that's the real port list. Beyond that, there's nothing special going on, just Bering configured to run my NAT'd LAN as 10.2.3.0/24 rather than 192.168.1.0/24.
Meager I know, but it works flawlessly if not for the occasional "bizzare" log entry. So I'm being lazy. But if Tom needs more info, I'll do the whole diagram and make things clear in a fresh post.
Take care (and long live http://www.sharingthegroove.org/ ) Matt
which maybe I don't understand because shorewall doesn't log every piece of information? I don't know, but here's the log entry and the details:
Sep 16 09:12:31 hub kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 SRC=82.82.76.144 DST=10.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=29083 DF PROTO=TCP SPT=4535 DPT=6885 WINDOW=30370 RES=0x00 SYN URGP=0
Details: ========== * I'm running BitTorrent, a p2p downloading application
* ports 6881-6889 are opened to new inbound connections and forwarded to 10.2.3.4.
* My ip is 63.194.213.179
* Proper BT traffic would be DST=63.194.213.179 6881:6889 SYN and of course responses to that from me.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
