Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
RE: [suse-security] Antwort: Re: [suse-security] DNAT problems
  • From: "Stefan Nauber" <nauber@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 23 Jan 2002 13:17:48 +0100
  • Message-id: <000a01c1a407$f94ffde0$0c01a8c0@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Do you have a rule in the FORWARD chain that allows this kind of traffic
from IPEXTERN to IPINTERN. You would need something like

iptables -A FORWARD -s IPEXTERN -d IPINTERN -p tcp --dport FF -j ACCEPT

Greetings,
Stefan Nauber

Cs2 Informatik GmbH & Co. KG
- Niederlassung West -
Kurf├╝rstenanlage 3
69115 Heidelberg
Germany
Tel.: +49 (6221) 6041-0
Fax : +49 (6221) 6041-50
Email: mailto:stefan.nauber@xxxxxxxxxxxxxxxxx
Internet: http://www.cs2-informatik.de

> -----Original Message-----
> From: T-Systems.Ertl@xxxxxxxxxxxxxxxxxxx
> [mailto:T-Systems.Ertl@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 23, 2002 1:07 PM
> To: Martin.Peikert@xxxxxxxxx
> Cc: suse-security@xxxxxxxx
> Subject: [suse-security] Antwort: Re: [suse-security] DNAT problems
>
>
> Helo Martin, helo folks,
>
> thanks for your responce.
>
> I can show U the rule:
>
> $IPTABLES -A PREROUTING -t nat -p tcp --dport FF -j DNAT
> --to-destination
> IPINTERN
>
> and a pullout of /var/log/kernel.log:
>
> Jan 21 17:41:06 FW15 kernel: DROP-TCP IN=tr0 OUT=eth0
> SRC=IPEXTERN DST=IPINTERN
> LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=6234 DF PROTO=TCP
> SPT=1079 DPT=FF
> WINDOW=8760 RES=0x00 SYN URGP=0
>
> but, sorry no iptales -L.
>
> On this print U can see, that the DNAT is working pretty (
> see on DST = is the
> DNAT IP ) , but packets are dropt.
>
> WHY ?? :-(
>
> TIA
>
>
> best regards
>
> Dirk Ertl
> T-Systems PCM AG
> Computing & Desktop Services
> Business Unit Daimler Chrysler AG / debis
> Fon: +179/492 63 59
> mailto:t-systems.ertl@xxxxxxxxxxxxxxxxxxx
> mailto:dirk.ertl@xxxxxxxxxxxxx
>
>
>
>
> Martin.Peikert@xxxxxxxxx
> 23.01.2002 11:17
> Bitte antworten an Martin.Peikert
>
>
>
> An: suse-security@xxxxxxxx
> Kopie:
> Thema: Re: [suse-security] DNAT problems
>
> T-Systems.Ertl@xxxxxxxxxxxxxxxxxxx schrieb:
> >
> > Hi Folks,
> >
> > we are pretty much done with our firewall now, but
> unfortunately we have a
> tiny
> > problem. Basically we want to use dNAT. We see that the
> translation of the IP
> > works out pretty good already.
> > Actually he does everything right, but he still drops the packages.
> >
> > Do we need an additional rule ?
>
> Could you be a little bit more detailed? What rules do you
> already have?
> It would help to send a 'iptables -n -L'...
>
> Martin
> --
> martin.peikert@xxxxxxxxx
> Discon GmbH
> Internet Solutions
> Wrangelstrasse 100
> http://www.discon.de/ 10997
> Berlin, Germany
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>


< Previous Next >
References