From: Fergal Moran (fergal.moran at domain wasptech.com)
Date: Tue 29 May 2001 - 16:28:09 IST
> have a look with tcpdump on your webserver if possilbe or the
> internal nic
> on the firewall if not .. and telnet to port 80 on your firewall from
Telnetting to port 80 of the firewall produces no output anywhere (using
Win2K command line telnet) -
however a web browser produces this on the firewalll
(p193.as1.qkr.cork1.eircom.net is the dial-up account I using - 192.168.1.6
is the IP address of our webserver) -
14:22:32.669083 eth1 < p193.as1.qkr.cork1.eircom.net.1269 >
192.168.1.6.http: S 1534297371:1534297371(0) win 8760 <mss
1460,nop,nop,sackOK> (DF)
14:22:35.599083 eth1 < p193.as1.qkr.cork1.eircom.net.1269 >
192.168.1.6.http: S 1534297371:1534297371(0) win 8760 <mss
1460,nop,nop,sackOK> (DF)
14:22:41.619083 eth1 < p193.as1.qkr.cork1.eircom.net.1269 >
192.168.1.6.http: S 1534297371:1534297371(0) win 8760 <mss
1460,nop,nop,sackOK> (DF)DF)
There is no output for tcpdump on the webserver or in the webserver logs...
is it strange that there no mention of our public IP address in tcpdump on
the firewall?
> -----Original Message-----
> From: Dave Airlie [mailto:airlied at domain csn.ul.ie]
> Sent: 29 May 2001 13:25
> To: Fergal Moran
> Cc: 'ilug at domain linux.ie'
> Subject: Re: [ILUG] Still iptables
>
>
>
> outside and see does it send a packet to the internal server and then
> unable to reply,
>
> these rules look like they should work...
>
> telnet port 80 on external from internal works?.. wierd..
>
> Dave.
>
> On Tue, 29 May 2001, Fergal Moran wrote:
>
> > Ok - thanks to Dave Airlie - iptables is nearly working
> >
> > I have added only two rules
> >
> > iptables -A PREROUTING -t nat -p tcp -d <external_nic_addr>
> --dport 80 -j
> > DNAT --to 192.168.1.6
> >
> > iptables -A POSTROUTING -t nat -s <internalnetwork>/netmask
> -d 0/0 -j
> > MASQUERADE
> >
> > The measquerading part works fine - however the DNAT part
> only half works -
> >
> > if on a machine on our network I try
> > http://
> >
> > it correctly transalates it to the internal webserver at 192.168.1.6
> >
> > however on an external machine - I get a "Page cannot be
> displayed" error
> >
> > I can ping the external address from the outside world - so
> that is not the
> > problem and the webserver will allow connections from any
> IP address.
> >
> > If it is of any use - I have 2 external IP's on the
> external NIC - but am
> > only attempting DNAT on one of them eth0:0 - if I run
> apache on the box I
> > can access it using the non-DNAT'd ip address - but if I
> use the DNAT'd
> > address then I do not see the apache web site - so some
> form of packet
> > mangling is definitely happening.
> >
> > Thanks for listening
> >
> > Fergal.
> >
> >
>
> --
> David Airlie, Software Engineer
> http://www.skynet.ie/~airlied / airlied at domain skynet.ie
> pam_smb / Linux DecStation / Linux VAX / ILUG person
>
>
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:30 GMT