Port forwarding

KUCKAERTZ Régis - NVISION regis at nvision.lu
Fri Sep 17 15:23:48 CEST 2004 

> if that's your only FORWARD rule, and the POLICY of FORWARD 
> is set to DROP--you're not allowing reply packets back 
> through the machine (SYN's will get through, but SYN-ACK's 
> will be blocked).
> 
>   iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> would help in this situation.

Did it, but nothing changed

> um--where are you telnet-ing from, and where are you tcdump-ing at?

I'm telnet'ing on a different host (otherwise I would have set the
appropriate rule in the OUTPUT chain), but I do the dump on the "gateway"

>   $TCPDUMP host $MASK_IP and port $MASK_PORT
> 
> is equivalent to what you're trying to capture.

Thanks!!

> if your BPF specifies $MASK_IP and $MASK_PORT why is your 
> capture showing $REAL_IP and $REAL_PORT?  those packets 
> shouldn't even match the filter...

Maybe that's because I do the dump on the same machine that does the DNAT?

I hope what follows will help you spot my mistake!

Régis

$ iptables -vnxL -t nat; iptables -vnxL -t mangle; iptables -vnxL

# nat table
Chain PREROUTING (policy ACCEPT 2439 packets, 148991 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
      17       1020 DNAT       tcp  --  *      *       0.0.0.0/0
$MASK_IP         tcp dpt:$MASK_PORT to:$REAL_IP:$REAL_PORT 

Chain POSTROUTING (policy ACCEPT 741 packets, 45651 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
       0          0 SNAT       tcp  --  *      *       0.0.0.0/0
$REAL_IP         tcp dpt:$REAL_PORT to:$MASK_IP 

Chain OUTPUT (policy ACCEPT 741 packets, 45651 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

# mangle table
Chain PREROUTING (policy ACCEPT 1567265 packets, 1105330580 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 1181535 packets, 615648770 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

# filter table
Chain INPUT (policy ACCEPT 44233 packets, 9251612 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
       0          0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
       0          0 ACCEPT     tcp  --  *      *       0.0.0.0/0
$REAL_IP           tcp dpt:$REAL_PORT

Chain OUTPUT (policy ACCEPT 41927 packets, 30331854 bytes)
    pkts      bytes target     prot opt in     out     source
destination

More information about the netfilter mailing list