Erik:
It would be useful to see the rules you are actually using.
Do you have a Forward rule to match the prerouting DNAT rule?
The latest Redhat 7.2 Kernel is 2.4.9-31 and iptables is 1.2.4.
It wouldn't hurt to upgrade.
Stu........
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Erik Schaberg
Sent: April 26, 2002 2:48 AM
To: [EMAIL PROTECTED]
Subject: DNAT problem
Hi all,
I have a problem with iptables and hope one of you guru's can help me.
I'm using redhat 7.2 and the iptables (version 1.2.3) that came with it.
Iptables works fine for packet filtering and SNAT but I cannot get DNAT
working.
I have two linux boxes, connected with an ethernet card to each other
(192.168.1.0/24). One has also an adsl connection using a static
ipaddress (x.x.x.x/32). I use the adsl machine as firewall/workstation,
the other one is my webserver. I want to forward the http traffict from
the internet directed to my adsl ip address to the lan webserver. But
whatever I try, it timeouts.
I read a number of iptables tutorials and FAQs, but I cannot find the
solution. I tried different sample iptables configurations, but all have
the DNAT problem on my system.
To test the DNAT principle/working I added another rule to my nat table.
This rule should redirect all http traffict from my workstation to a
random chosen ip address 222.222.222.222 to my lan-webserver. This way I
can test the priciple/working of DNAT without help from someone on the
internet to connect to my box.
This connection also timeouts. When I look at the tcpdump output on the
ethernet interface it looks to me as if the firewall resets the
connection while still in the 3-way handshake.
This is my iptables nat configurations as shown with the command:
iptables -t nat -L:
(adsl-ip-address is the static ip address of the firewalls-adsl interface.)
<====start iptables output ==========>
Chain PREROUTING (policy ACCEPT)
target prot opt source destination DNAT
tcp -- anywhere adsl-ip-address tcp dpt:http state
NEW,RELATED,ESTABLISHED to:192.168.1.2
DNAT tcp -- anywhere adsl-ip-address tcp dpt:http
to:192.168.1.2:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination SNAT
all -- anywhere anywhere to:adsl-ip-address
Chain OUTPUT (policy ACCEPT)
target prot opt source destination DNAT
tcp -- anywhere 222.222.222.222 tcp dpt:http
to:192.168.1.2
<=========== end iptables output==========>
This is the output of tcpdump when I'm connecting to
http://222.222.222.222/ from my workstation/firewall-box. (Rork-eth is
the lan interface of the firewall/workstation (ip-addresss 192.168.1.1).
Promethea is the lan interface (and hostname) of the webserver on the
lan (ip-address 192.168.1.2).)
<============ start tcp dump output=====>
18:26:48.765293 Rork-eth0.datametrics > Promethea.http: S
4139693190:4139693190(0) win 5840 <mss 1460,sackOK,timestamp 2036276
0,nop,wscale 0> (DF)
18:26:48.765293 Promethea.http > Rork-eth0.datametrics: S
3529853357:3529853357(0) ack 4139693191 win 5792 <mss
1460,sackOK,timestamp 2524120 2034176,nop,wscale 0> (DF)
18:26:48.765293 Rork-eth0.1024 > Promethea.http: R
4139693191:4139693191(0) win 0 (DF)
18:26:49.165293 Promethea.http > Rork-eth0.datametrics: S
3529853357:3529853357(0) ack 4139693191 win 5792 <mss
1460,sackOK,timestamp 2524161 2034176,nop,wscale 0> (DF)
18:26:49.165293 Rork-eth0.1024 > Promethea.http: R
4139693191:4139693191(0) win 0 (DF)
18:27:13.365293 Promethea.http > Rork-eth0.datametrics: S
3529853357:3529853357(0) ack 4139693191 win 5792 <mss
1460,sackOK,timestamp 2526581 2034176,nop,wscale 0> (DF)
18:27:13.365293 Rork-eth0.1024 > Promethea.http: R
4139693191:4139693191(0) win 0 (DF)
18:27:18.365293 arp who-has Promethea tell Rork-eth0
18:27:18.365293 arp reply Promethea is-at 0:60:8:72:5e:88
<========end tcdump output====>
How can I get dnat to work properly?
Can anybody help me? I don't know what the problem is? Is it my
configuration? Am I missing something obvious?
Thanks in advance for your help,
Erik
