Do you have a rule in the FORWARD chain that allows this kind of traffic from IPEXTERN to IPINTERN. You would need something like iptables -A FORWARD -s IPEXTERN -d IPINTERN -p tcp --dport FF -j ACCEPT Greetings, Stefan Nauber Cs2 Informatik GmbH & Co. KG - Niederlassung West - Kurfürstenanlage 3 69115 Heidelberg Germany Tel.: +49 (6221) 6041-0 Fax : +49 (6221) 6041-50 Email: mailto:stefan.nauber@cs2-informatik.de Internet: http://www.cs2-informatik.de
-----Original Message----- From: T-Systems.Ertl@daimlerchrysler.com [mailto:T-Systems.Ertl@daimlerchrysler.com] Sent: Wednesday, January 23, 2002 1:07 PM To: Martin.Peikert@discon.de Cc: suse-security@suse.com Subject: [suse-security] Antwort: Re: [suse-security] DNAT problems
Helo Martin, helo folks,
thanks for your responce.
I can show U the rule:
$IPTABLES -A PREROUTING -t nat -p tcp --dport FF -j DNAT --to-destination IPINTERN
and a pullout of /var/log/kernel.log:
Jan 21 17:41:06 FW15 kernel: DROP-TCP IN=tr0 OUT=eth0 SRC=IPEXTERN DST=IPINTERN LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6234 DF PROTO=TCP SPT=1079 DPT=FF WINDOW=8760 RES=0x00 SYN URGP=0
but, sorry no iptales -L.
On this print U can see, that the DNAT is working pretty ( see on DST = is the DNAT IP ) , but packets are dropt.
WHY ?? :-(
TIA
best regards
Dirk Ertl T-Systems PCM AG Computing & Desktop Services Business Unit Daimler Chrysler AG / debis Fon: +179/492 63 59 mailto:t-systems.ertl@daimlerchrysler.com mailto:dirk.ertl@t-systems.com
Martin.Peikert@discon.de 23.01.2002 11:17 Bitte antworten an Martin.Peikert
An: suse-security@suse.com Kopie: Thema: Re: [suse-security] DNAT problems
T-Systems.Ertl@daimlerchrysler.com schrieb:
Hi Folks,
we are pretty much done with our firewall now, but
problem. Basically we want to use dNAT. We see that the
unfortunately we have a tiny translation of the IP
works out pretty good already. Actually he does everything right, but he still drops the packages.
Do we need an additional rule ?
Could you be a little bit more detailed? What rules do you already have? It would help to send a 'iptables -n -L'...
Martin -- martin.peikert@discon.de Discon GmbH Internet Solutions Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com