Antwort: Re: [suse-security] DNAT problems
Helo Martin, helo folks, thanks for your responce. I can show U the rule: $IPTABLES -A PREROUTING -t nat -p tcp --dport FF -j DNAT --to-destination IPINTERN and a pullout of /var/log/kernel.log: Jan 21 17:41:06 FW15 kernel: DROP-TCP IN=tr0 OUT=eth0 SRC=IPEXTERN DST=IPINTERN LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6234 DF PROTO=TCP SPT=1079 DPT=FF WINDOW=8760 RES=0x00 SYN URGP=0 but, sorry no iptales -L. On this print U can see, that the DNAT is working pretty ( see on DST = is the DNAT IP ) , but packets are dropt. WHY ?? :-( TIA best regards Dirk Ertl T-Systems PCM AG Computing & Desktop Services Business Unit Daimler Chrysler AG / debis Fon: +179/492 63 59 mailto:t-systems.ertl@daimlerchrysler.com mailto:dirk.ertl@t-systems.com Martin.Peikert@discon.de 23.01.2002 11:17 Bitte antworten an Martin.Peikert An: suse-security@suse.com Kopie: Thema: Re: [suse-security] DNAT problems T-Systems.Ertl@daimlerchrysler.com schrieb:
Hi Folks,
we are pretty much done with our firewall now, but unfortunately we have a
tiny
problem. Basically we want to use dNAT. We see that the translation of the IP works out pretty good already. Actually he does everything right, but he still drops the packages.
Do we need an additional rule ?
Could you be a little bit more detailed? What rules do you already have? It would help to send a 'iptables -n -L'... Martin -- martin.peikert@discon.de Discon GmbH Internet Solutions Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Do you have a rule in the FORWARD chain that allows this kind of traffic from IPEXTERN to IPINTERN. You would need something like iptables -A FORWARD -s IPEXTERN -d IPINTERN -p tcp --dport FF -j ACCEPT Greetings, Stefan Nauber Cs2 Informatik GmbH & Co. KG - Niederlassung West - Kurfürstenanlage 3 69115 Heidelberg Germany Tel.: +49 (6221) 6041-0 Fax : +49 (6221) 6041-50 Email: mailto:stefan.nauber@cs2-informatik.de Internet: http://www.cs2-informatik.de
-----Original Message----- From: T-Systems.Ertl@daimlerchrysler.com [mailto:T-Systems.Ertl@daimlerchrysler.com] Sent: Wednesday, January 23, 2002 1:07 PM To: Martin.Peikert@discon.de Cc: suse-security@suse.com Subject: [suse-security] Antwort: Re: [suse-security] DNAT problems
Helo Martin, helo folks,
thanks for your responce.
I can show U the rule:
$IPTABLES -A PREROUTING -t nat -p tcp --dport FF -j DNAT --to-destination IPINTERN
and a pullout of /var/log/kernel.log:
Jan 21 17:41:06 FW15 kernel: DROP-TCP IN=tr0 OUT=eth0 SRC=IPEXTERN DST=IPINTERN LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6234 DF PROTO=TCP SPT=1079 DPT=FF WINDOW=8760 RES=0x00 SYN URGP=0
but, sorry no iptales -L.
On this print U can see, that the DNAT is working pretty ( see on DST = is the DNAT IP ) , but packets are dropt.
WHY ?? :-(
TIA
best regards
Dirk Ertl T-Systems PCM AG Computing & Desktop Services Business Unit Daimler Chrysler AG / debis Fon: +179/492 63 59 mailto:t-systems.ertl@daimlerchrysler.com mailto:dirk.ertl@t-systems.com
Martin.Peikert@discon.de 23.01.2002 11:17 Bitte antworten an Martin.Peikert
An: suse-security@suse.com Kopie: Thema: Re: [suse-security] DNAT problems
T-Systems.Ertl@daimlerchrysler.com schrieb:
Hi Folks,
we are pretty much done with our firewall now, but
problem. Basically we want to use dNAT. We see that the
unfortunately we have a tiny translation of the IP
works out pretty good already. Actually he does everything right, but he still drops the packages.
Do we need an additional rule ?
Could you be a little bit more detailed? What rules do you already have? It would help to send a 'iptables -n -L'...
Martin -- martin.peikert@discon.de Discon GmbH Internet Solutions Wrangelstrasse 100 http://www.discon.de/ 10997 Berlin, Germany
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (2)
-
Stefan Nauber -
T-Systems.Ertl@daimlerchrysler.com