Port forwarding problem: a little more info
Sat, 7 Jul 2001 16:08:20 +1200
To follow up on my own query.
IF I runa little script that keeps listing /proc/net/ip_conntrack I see a
transaction that seems to suggest something right is happening
but then the TCP handshake is failing
tcp 6 16 SYN_SENT src=18.104.22.168 dst=22.214.171.124 sport=1097 dport=
80 [UNREPLIED] src=172.22.4.195 dst=126.96.36.199 sport=80 dport=1097 use=1
This suggests I'm not natting out right ? or its something else???
------- Forwarded message follows -------
From: Brendan Murray <email@example.com>
Subject: Port forwarding problem
Send reply to: firstname.lastname@example.org
Date sent: Sat, 7 Jul 2001 14:35:11 +1200
I'm having a problem that is driving me quitely insance - and taking
uup way too much time.
I am running Kernel 2.4.3-12 with iptables 1.2.2.
I believe I turned on all the things in the kernel build. Dmesg reports
that ip_tables and conntrack are there. No other errors
When I start iptables I insmod (or depmod) damn near everything
except ipchains and ipfwadm
I have a rule set that I constructed based on Oskar Andreasson's
It worked when I bench tested everything. It doesn't work in real life.
the bench test environ was
Internal box <---eth1----> firewall <-----eth0----> external box
The internal box offers a web server and mail server
I also set up the external box to do the same.
The firewall is supposed to take packets on the external interface
on port 80 and send them on to the internal box on 80
The internal box should be able to get out on port 80
Internal box address is in 172.22.2.0/24. External box address and
external ip on firewall as legit Class C addresses.
I can connect from the external box to the internal box through the
firewall by connecting to port 80 on the firewall external address
I can connect to the external box from the internal box on port 80.
All works fine on the bench.
Then I connect to the real world. Nothing seems to go anymore.
Nothing internal gets out, nothing external gets in - and the firewall
is logging the incoming packets as FORWARDs that are being
dropped by the default (last) rule in the FORWARD chain.
To complicate matters I decided that I must be inept and went off
and got gShield to build it all for me. I cannot get that to let me
through in real life either.
So - is it just plain wrong to run 2.4.30-12 (patched) and 1.2.2
together and that's problem?
Is there some subtlety that has completely escaped me?
Thanks for any help. I will post the firewall scripts if anyone wants
me to - I've being playing around with minimal scripts to get
something to work and can probably do so.
Something that really ought to be easy is proving really hard.
Something that works on the bench really ought to work for real.
Another small complication is that the box I'm working on is some
hundred of miles away so if I screw up the kernel I have to go get
someone to turn it on/off and its getting a bit tiresome.
------- End of forwarded message -------