[ILUG] DNAT with iptables problem

From: John Allman (allmanj at domain tcd.ie)
Date: Thu 09 Aug 2001 - 00:12:50 IST

Today has been a bad day. i put a different web server behind the firewall
and altered the rules but i found when using tcpdump that the request was
never reaching the firewall. the router just sat there making arp requests
for the web server.

i decided then to forward any requests to the firewall on port 80 to the
internal web server just to make it do something. which it did. i used
lynx on matrix (machine outside network) to make a request to the firewall
(which would then be forwarded to the internal web server). i ran tcpdump
on tron (the firewall) on the external interface and got the following
output:

[root at domain tron tron]# tcpdump tcp and not port 22
tcpdump: listening on eth0
11:55:22.377183 matrix.netsoc.tcd.ie.8879 > 10.10.13.2.http: S
3226964788:3226964788(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 6092307 0>
11:55:22.382564 tron.http > matrix.netsoc.tcd.ie.8879: S
1992481733:1992481733(0) ack 3226964789 win 5792 <mss
1460,sackOK,timestamp 1563649 6092307,nop,wscale 0> (DF)
11:55:22.595244 matrix.netsoc.tcd.ie.8879 > 10.10.13.2.http: . ack
1992481734 win 17280 <nop,nop,timestamp 6092307 1563649>
11:55:22.623598 matrix.netsoc.tcd.ie.8879 > 10.10.13.2.http: P 0:316(316)
ack 1 win 17280 <nop,nop,timestamp 6092307 1563649>
11:55:22.623953 tron.http > matrix.netsoc.tcd.ie.8879: . ack 317 win 6432
<nop,nop,timestamp 1563673 6092307> (DF)
11:55:22.640036 tron.http > matrix.netsoc.tcd.ie.8879: . 1:1449(1448) ack
317 win 6432 <nop,nop,timestamp 1563674 6092307> (DF)
11:55:22.640130 tron.http > matrix.netsoc.tcd.ie.8879: P 1449:1880(431)
ack 317
win 6432 <nop,nop,timestamp 1563674 6092307> (DF)
11:55:22.640182 tron.http > matrix.netsoc.tcd.ie.8879: F 1880:1880(0) ack
317 win 6432 <nop,nop,timestamp 1563674 6092307> (DF)
11:55:22.888932 matrix.netsoc.tcd.ie.8879 > 10.10.13.2.http: . ack 1 win
17280 <nop,nop,timestamp 6092308 1563673,nop,nop,sack sack 1 {1449:1880} >
11:55:22.890813 matrix.netsoc.tcd.ie.8879 > 10.10.13.2.http: . ack 1 win
17280 <nop,nop,timestamp 6092308 1563673,nop,nop,sack sack 1 {1449:1880} >
11:55:23.721019 tron.http > matrix.netsoc.tcd.ie.8879: . 1:1449(1448) ack
317 win 6432 <nop,nop,timestamp 1563783 6092308> (DF)
11:55:25.901013 tron.http > matrix.netsoc.tcd.ie.8879: . 1:1449(1448) ack
317 win 6432 <nop,nop,timestamp 1564001 6092308> (DF)
11:55:30.260930 tron.http > matrix.netsoc.tcd.ie.8879: . 1:1449(1448) ack
317 win 6432 <nop,nop,timestamp 1564437 6092308> (DF)
11:55:37.836901 matrix.netsoc.tcd.ie.8879 > 10.10.13.2.http: F 316:316(0)
ack 1
win 17280 <nop,nop,timestamp 6092338 1563673>
11:55:37.837170 tron.http > matrix.netsoc.tcd.ie.8879: . ack 318 win 6432
<nop,nop,timestamp 1565194 6092338> (DF)
11:55:38.980825 tron.http > matrix.netsoc.tcd.ie.8879: . 1:1449(1448) ack
318 win 6432 <nop,nop,timestamp 1565309 6092338> (DF)
 
 16 packets received by filter
 0 packets dropped by kernel

10.10.13.2 is the internal web server.

you can see the requests (after nat-ing) going to the webserver and tron
(apparently) replying. that is as it should look to the outside world. you
request a page from tron, tron replies. the browser still times out
though. i also tried telneting as per your advice...

i sent a bad request (because i didnt know what i was at) and got the
following output:

matrix/home/john>telnet [trons external address] 80
Trying [trons external address]...
Connected to [tron external address].
Escape character is '^]'.
get index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY>
<H1>Bad Request</H1>
Your browser sent a request that this server could not understand.<P>
Invalid URI in request get index.html<P>
<HR>
<ADDRESS>Apache/1.3.20 Server at 10.10.13.2 Port 80</ADDRESS>
</BODY></HTML>
Connection closed by foreign host.

which sounds about right - we can see the apache web server is actually
talking to matrix

i looked up an example http request and slapped it in to see what it would
do: to www.linux.ie:

matrix/home/john>telnet www.linux.ie 80
Trying 194.125.145.45...
Connected to www.linux.ie.
Escape character is '^]'.
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)
Host: matrix.netsoc.tcd.ie
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Wed, 08 Aug 2001 22:47:58 GMT
Server: Apache/1.3.9 (Unix) Debian/GNU PHP/4.0.3pl1
Last-Modified: Wed, 07 Feb 2001 11:28:09 GMT
ETag: "1802-51c-3a813149"
Accept-Ranges: bytes
Content-Length: 1308
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>lugh.tuatha.org</TITLE>
</HEAD>
<BODY BGCOLOR="#ffffff" TEXT="#000000" LINK="#0000ff"
VLINK="#ff00ff" ALINK="#ff0000">
<HR>
<CENTER><H2>Welcome to <EM>lugh.tuatha.org</EM></H2></CENTER>
<HR>
<P>
This server hosts Web services for several domains. If you see this
message, you are either using an old browser (which doesn't understand
HTTP 1.1), or have deliberately connected to lugh.tuatha.org.<P>
Websites hosted here :<P>
<UL>
<LI>
<A HREF="http://www.linux.ie/">Irish Linux Users' Group</A>
<LI>
<A HREF="http://www.ie.lspace.org/">Irish mirror of <EM>L-Space</EM></A>
<LI>
<A HREF="http://www.tuatha.org/"><EM>Tuatha</EM></A>
<LI>
<A HREF="http://www.postgrad.org/">Postgraduates International Network</A>
</UL>
<P>
If you cannot connect to these sites (i.e. : if you keep returning to this
page) I <EM>strongly</EM> suggest that you upgrade your browser.<P>
<HR>
<P><EM>Lugh</EM> is a PC with an AMD K6/300 CPU, 128Mb of SDRAM and
5.1Gb of disk space, running Debian
<A HREF="http://www.linux.org"><EM>Linux</EM></A> and the
<A HREF="http://www.apache.org"><EM>Apache</EM></A> HTTP server.</P>
<HR>
<ADDRESS><A HREF="mailto:colm at domain tuatha.org">colm at domain tuatha.org</A></ADDRESS>
</BODY>
</HTML>
Connection closed by foreign host.

so ok - this isn't what i expected but it shows a correctish request and
response.

to tron (firewall which should forward to internal web server):

matrix/home/john>telnet [trons external address] 80
Trying [trons external address]...
Connected to [trons external address].
Escape character is '^]'.
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)
Host: matrix.netsoc.tcd.ie
Connection: Keep-Alive

^]
telnet> quit
Connection closed.

i only had to press return twice for the response from linux.ie. here you
can see i pressed it several times and still nothing.

the truly worrying bit is where i had the following setup...

             ______ ______________ __________
internet----|router|------|tron(firewall)|--|web server|
             ------ -------------- -----------
               |
               |
               |
            _________
           |other box|
            ---------
in case that doesnt look right - that's an effort at ascii art. i have the
firewall and another box connected to the router which is connected to the
internet. i then have the web server connected to the firewall.

i made a request from the other box to the firewall and everything looked
fine - it displayed the page just as expected.

so i'm thinking it might be a router issue. and there i am out of my
depth. i didn't buy or setup the router and although i can play with it i
really dont know what i'm at. the router is an Efficient Networks
SpeedStream 5861 (i've never heard of it either)

really getting quite frustrated now and running out of things to do.
please help!

thanks loads

John

This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:11:31 GMT