DNAT / routing problem ...

10 Dec 2001

      Hi

If anybody can shed some light here ...

I have SuSE 7.2 with iptables 1.2.4.

This is my setup :

Internet host (INT1)
 |
 |
Internet Router (66.8.45.161/28)
 |
 |
eth0: 66.8.45.162 eth0:0: 66.8.45.171
Firewall ------ eth1: 192.168.1.1/24 ----- DMZ Web Server (192.168.1.3) (WEB1)
eth2: 10.0.0.2
 |
 |
Internal LAN Machine (10.0.0.67) (LAN1)

If I browse from LAN1 to WEB1 I get the expected web page.

If I ping eth0:0 (66.8.45.171) from an internet host I get a reponse.

If I browse eth0:0 (66.8.45.171) from an internet host (INT1), then this is what I see on the firewall logs:

Dec 10 12:49:32 firefly kernel: IN INT TO ORA1: IN=eth0 OUT= MAC=00:01:02:50:b8:9e:00:50:0f:0d:1c:76:08:00 SRC=196.38.2.133 DST=66.8.45.171 LEN=44 TOS=0x00 PREC=0x00 TTL=246 ID=33551 DF PROTO=TCP SPT=35511 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0

This is what I get from a tcpdump -i eth0 src or dst 66.8.45.171:

firefly:~ # tcpdump -n -i eth0 src or dst 66.8.45.171
Kernel filter, protocol ALL, datagram packet socket
tcpdump: listening on eth0
13:09:24.168125 196.38.2.133.35555 > 66.8.45.171.http: S 1553437572:1553437572(0) win 8760 <mss 1460> (DF)
13:09:24.378125 196.38.2.133.35555 > 192.168.1.3.http: S 1675349120:1675349120(0) win 8760 <mss 1380> (DF)
13:09:35.018125 196.38.2.133.35555 > 66.8.45.171.http: R 1553437573:1553437573(0) win 8760 (DF)
13:09:35.108125 196.38.2.133.35555 > 192.168.1.3.http: R 1675349121:1675349121(0) win 8760 (DF)
13:09:36.978125 196.38.2.133.35557 > 66.8.45.171.http: S 1556456834:1556456834(0) win 8760 <mss 1460> (DF)
13:09:37.248125 196.38.2.133.35557 > 192.168.1.3.http: S 2504752814:2504752814(0) win 8760 <mss 1380> (DF)
13:09:40.478125 196.38.2.133.35557 > 66.8.45.171.http: S 1556456834:1556456834(0) win 8760 <mss 1460> (DF)
13:09:40.498125 196.38.2.133.35557 > 192.168.1.3.http: S 2504752814:2504752814(0) win 8760 <mss 1380> (DF)
13:09:46.878125 196.38.2.133.35557 > 66.8.45.171.http: S 1556456834:1556456834(0) win 8760 <mss 1460> (DF)
13:09:47.218125 196.38.2.133.35557 > 192.168.1.3.http: S 2504752814:2504752814(0) win 8760 <mss 1380> (DF)

It seems like my NAT rule on the PREROUTING chain is doing its work (translating 66.8.45.171 to 192.168.1.1), however no traffic every reaches 192.168.1.3.

What am I doing wrong?

Ray

Ray Leach

tags

participants (1)