[opensuse] openSUSE 10.1 - Probably a bug within netfilter/iptables

Hi everyone! I've got an openSUSE 10.1 up and running. Kernel (uname -srvmpio): ------------------------ Linux 2.6.16.21-0.25-default #1 Tue Sep 19 07:26:15 UTC 2006 i686 athlon i386 GNU/Linux iptables --version: ------------------- iptables v1.3.5 Now I want the system to do some redirection of IP traffic. Redirection of IP traffice from port 80 to 8080 works. Everything else seems not to work. I have the following "/etc/sysconfig/SuSEfirewall2": ---------------------------------------------------- FW_DEV_EXT="eth-id-XX:XX:XX:XX:XX:XX" FW_DEV_INT="eth-id-XX:XX:XX:XX:XX:XX" FW_MASQ_NETS="\ 192.168.1.0/24,0/0,tcp,53 \ 192.168.1.0/24,0/0,udp,53 \ 192.168.1.0/24,0/0,tcp,80 \ 192.168.1.0/24,0/0,tcp,443 \ 192.168.1.0/24,0/0,tcp,3048 \ 192.168.1.0/24,0/0,udp,3048 \ " FW_SERVICES_EXT_TCP="44424" FW_SERVICES_EXT_UDP="" FW_SERVICES_INT_TCP="21 22 25 110 1812 8443 6666 8080 44424" FW_SERVICES_INT_UDP="" FW_FORWARD_MASQ="" FW_REDIRECT="\ 192.168.1.0/24,0/0,tcp,80,8080 \ 192.168.1.0/24,0/0,tcp,25,25 \ 192.168.1.0/24,0/0,tcp,21,21 \ 192.168.1.0/24,0/0,tcp,110,110 \ " FW_QUICKMODE="no" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="no" FW_IPSEC_TRUST="no" FW_PROTECT_FROM_INT="no" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" For whatever reason, the redirect of port 80 to port 8080 works fine. But the other redirects seem to don't work. I've tried a telnet from a machine with IP 192.168.1.3 to www.gmx.at port 25 ("telnet www.gmx.at 25") and the machine simply tries to connect to 213.165.64.215. Of course without success because that is no SMTP server. If I try the same telnet (www.gmx.at) with port 80, it works as expected. It gets redirected to a virus scanner which acts as a proxy. Later on I tried some DNAT to check the whole netfilter/iptables stuff. I simply stopped the susefirewall2 and tried the following: <--- Script starts here ---> #! /bin/bash #################### # # # IP tables leeren # # # #################### iptables -t mangle --flush PREROUTING iptables -t mangle --flush POSTROUTING iptables -t nat --flush INPUT iptables -t nat --flush OUTPUT iptables -t nat --flush FORWARD iptables -t filter --flush INPUT iptables -t filter --flush OUTPUT iptables -t filter --flush FORWARD #################### # # # IP Weiterleitung # # # #################### # Weiterleitung aktivieren echo 1 > /proc/sys/net/ipv4/ip_forward # Protocoll TCP iptables -t filter --append FORWARD --protocol tcp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 -j ACCEPT iptables -t nat --append POSTROUTING --protocol tcp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 -j SNAT --to-source 10.0.0.10 # Protocol UDP iptables -t filter --append FORWARD --protocol udp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 -j ACCEPT iptables -t nat --append POSTROUTING --protocol udp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 -j SNAT --to-source 10.0.0.10 ############ # # # REDIRECT # # # ############ # Protocoll TCP iptables -t nat --append PREROUTING --protocol tcp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat --append PREROUTING --protocol tcp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 21 -j REDIRECT --to-ports 21 iptables -t nat --append PREROUTING --protocol tcp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 110 -j REDIRECT --to-ports 110 # Protocol UDP iptables -t nat --append PREROUTING --protocol udp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 80 -j REDIRECT --to-ports 8080 iptables -t nat --append PREROUTING --protocol udp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 21 -j REDIRECT --to-ports 21 iptables -t nat --append PREROUTING --protocol udp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 110 -j REDIRECT --to-ports 110 ######## # # # DNAT # # # ######## # Protocoll TCP iptables -t nat --append PREROUTING --protocol tcp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 25 -j DNAT --to-destination 192.168.1.3:25 # Protocol UDP iptables -t nat --append PREROUTING --protocol udp --source 192.168.1.0/24 --destination ! 192.168.1.0/24 \ --dport 25 -j DNAT --to-destination 192.168.1.3:25 <--- Script ends here ---> Just the same result. Redirection for port 80 works but not for any of the other ports. Even the DNAT didn't work. Normaly I would expact the IP packets to go from my 192.168.1.3 to my 192.168.1.254 (Gateway) and back to 192.168.1.3 port 25. Any help welcome. Kind regards, Leonhard. -- GMX DSL-Flatrate 0,- Euro* - Überall, wo DSL verfügbar ist! NEU: Jetzt bis zu 16.000 kBit/s! http://www.gmx.net/de/go/dsl --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org