Port forwarding problem: a little more info

Brendan Murray brendan@wolfhoundsecurity.com
Sat, 7 Jul 2001 16:08:20 +1200 

To follow up on my own query.

IF I runa  little script that keeps listing /proc/net/ip_conntrack I see a 
transaction that seems to suggest something right is happening  
but then the TCP handshake is failing

tcp      6 16 SYN_SENT src=203.109.204.125 dst=192.148.221.200 sport=1097 dport=
80 [UNREPLIED] src=172.22.4.195 dst=203.109.204.125 sport=80 dport=1097 use=1

This suggests I'm not natting out right ? or its something else???

------- Forwarded message follows -------
From:           	Brendan Murray <bp_murray@yahoo.co.nz>
To:             	netfilter@lists.samba.org
Subject:        	Port forwarding problem
Send reply to:  	brendanm@ihug.co.nz
Date sent:      	Sat, 7 Jul 2001 14:35:11 +1200

Greetings all.
I'm having a problem that is driving me quitely insance - and taking 
uup way too much time.

I am running Kernel 2.4.3-12 with iptables 1.2.2.
I believe I turned on all the things in the kernel build. Dmesg reports 
that ip_tables and conntrack are there. No other errors

When I start iptables I insmod (or depmod) damn near everything 
except ipchains and ipfwadm 

I have a rule set that I constructed based on Oskar Andreasson's 
rc.firewall.txt 
It worked when I bench tested everything. It doesn't work in real life.

the bench test environ was

Internal box <---eth1----> firewall <-----eth0----> external box

The internal box offers a web server and mail server
I also set up the external box to do the same.

The firewall is supposed to take packets on the external interface 
on port 80 and send them on to the internal box on 80

The internal box should be able to get out on port 80

Internal box address is in 172.22.2.0/24. External box address and 
external ip on firewall as legit Class C addresses.

I can connect from the external box to the internal box through the 
firewall by connecting to port 80 on the firewall external address

I can connect to the external box from the internal box on port 80.

All works fine on the bench.

Then I connect to the real world. Nothing seems to go anymore. 
Nothing internal gets out, nothing external gets in - and the firewall 
is logging the incoming packets as FORWARDs that are being 
dropped by the default (last) rule in the FORWARD chain.

To complicate matters I decided that I must be inept and went off 
and got gShield to build it all for me. I  cannot get that to let me 
through in real life either.

So - is it just plain wrong to run 2.4.30-12 (patched) and 1.2.2 
together and that's problem?

Is there some subtlety that has completely escaped me? 

Thanks for any help.  I will post the firewall scripts if anyone wants 
me to - I've being playing around with minimal scripts to get 
something to work and can probably do so.

Something that really ought to be easy is proving really hard. 
Something that works on the bench really ought to work for real.

Another small complication is that the box I'm working on is some 
hundred of miles away so if I screw up the kernel I have to go get 
someone to turn it on/off and its getting a bit tiresome.

Thanks

Brendan.

------- End of forwarded message -------