My Client: 192.168.1.2 (win2k) My firewall: 192.168.1.200 (scripte see below) Webserver 192.168.1.40 (also tried it with 192.168.3.30)
A tcpdump on Port 80 on the webserver(so it actually does forward my port!): 13:15:33.287986 192.168.1.2.1208 > linux.local.http: R 3458148781:3458148781(0) win 0
This is a TCP reset from the W2K box to the Web server. Ungraceful TCP connection teardown.. This is not good..
13:15:36.237986 192.168.1.2.1208 > linux.local.http: S 3458148780:3458148780(0) win 32767
(DF)
First packet of the TCP 3-way handshake. It made it through the DNATing box, so I should think that you've got that set up correctly
13:15:36.237986 linux.local.http > 192.168.1.2.1208: S 4027492602:4027492602(0) ack 3458148781 win 5840
(DF) etc...(rest looks all the same)
This is the second packet of the TCP 3-way handshake, going from original receiver to original sender with SYN and ACK set. Does this packet arrive at the W2K box? And what does it look like?
My litte firewall script: iptables -F OUTPUT iptables -F INPUT iptables -F FORWARD iptables -t nat -F PREROUTING
Why don't you flush the postrouting chain?
iptables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT
I like to explicitly set accept policies on the nat chains as well, but that may just be me..
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward
What part does the ppp0 interface play here? I'm not sure if the return traffic from the web server will survive if it's masqueraded... And I believe to have read that you do not need any NAT rules for return traffic in iptables in the HOWTO, I think it says that it's handled automatically. So this may be your problem if the ppp0 interface is used to route to the W2K box.
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40 #Make sure connections for VNC servers are accepted. iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
OK, this should suffice to let the traffic past the post-routing chain. You might as well set an accept policy, though, I think.
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to 192.168.1.40:80
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-6. html says that redirect only forwards to a different port on the input interface. This is probably not what you want to do. This is a second candidate for the cause of the problem.
=====================
What is the difference between: iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40 iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j DNAT --to 192.168.1.40 #Make sure connections for VNC servers are accepted. iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT iptables -t nat -A POSTROUTING -p tcp --destination-port 80 -j ACCEPT
and: iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j REDIRECT --to 192.168.1.40:80
See the link above. Redirect means: "send this packet to a different port on the local box", DNAT allows you to modify the destination IP address and port.
Tobis wrote: "And you're missing forward rules to allow the desired traffic (plus the rest you need for basic connectivity, such as some ICMP, etc..)"
I tought that iptables -P FORWARD ACCEPT does it?!
Yes, but you probably didn't have that line in your previous mails. Cheers, Tobias