weird Iptables problem

• Previous message: Unruh: "Re: is it possible to find the IP address from the MAC address ?"
• Next in thread: Eric Teuber: "Re: weird Iptables problem"
• Reply: Eric Teuber: "Re: weird Iptables problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 15 Aug 2005 08:39:42 -0700

RHEL3, Iptables 1.2.8-12. Two network interfaces(eth0 202.158.174.62,
eth1 192.168.0.9). Web server runs at 192.168.0.6, on port 80. Domain
www.chiaotai.com, DNS query to 202.158.174.62(FQDN).

------------- iptables script(part)--------------------------------
#!/bin/bash
ipt=/sbin/iptables
$ipt -F
$ipt -X
$ipt -Z
$ipt -t nat -F

IF="eth+"
INTIF="eth1"
EXTIF="eth0"
IPADDR="202.158.174.62/32"
## DNAT for Applications
# Web Server at port 80
$ipt -t nat -A PREROUTING -i $EXTIF -d $IPADDR -p tcp --dport 80 \
-j DNAT --to 192.168.0.6:80
...skip...
------------- iptables script(part)--------------------------------
I fail to access www.chiaotai.com from internet, and get bellow dump on
LINUX:
------------------------------
[root@mail etc]# tcpdump -i eth0 port 80 -n
tcpdump: listening on eth0
00:01:21.268141 222.69.230.70.1499 > 202.158.174.62.http: S
3071094721:3071094721(0) win 64240 <mss 1452,nop,nop,sackOK> (DF) [tos
0x60]
00:01:24.115554 222.69.230.70.1499 > 202.158.174.62.http: S
3071094721:3071094721(0) win 64240 <mss 1452,nop,nop,sackOK> (DF) [tos
0x60]
00:01:30.125042 222.69.230.70.1499 > 202.158.174.62.http: S
3071094721:3071094721(0) win 64240 <mss 1452,nop,nop,sackOK> (DF) [tos
0x60]
------------------------------
But if change iptables scripts to:
$ipt -t nat -A PREROUTING -i $EXTIF -d $IPADDR -p tcp --dport 10080 -j
DNAT --to 192.168.0.6:10080
(Sure change IIS port from 80 to 10080)
Then access address at www.chiaotai.com:10080, all is okay. Run
"netstat -an", no application takes up port 80.

>>From the tcpdump outputs, it looks like packets to dport 80 on eth0
were not forwarded to 192.168.0.6. But if change port to 10080, it's
okay! Don't know why, can anybody explain this?

Thanks for any help

Xu Zuoyin

• Previous message: Unruh: "Re: is it possible to find the IP address from the MAC address ?"
• Next in thread: Eric Teuber: "Re: weird Iptables problem"
• Reply: Eric Teuber: "Re: weird Iptables problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [fw-wiz] iptables DNAT issue ... The issue is that when I add a DNAT rule, ... I forward port 25 incoming to a mail server on the DMZ. ... Telnetting to port 25 on the firewall from the outside /still/ forwards me ... target DMZ machine shows any connections on the forwarded ports, ... (Firewall-Wizards) RE: FW: DNAT SSH ... Subject: DNAT SSH ... I would like to obscure the SSHD listening port from 22 to another, ... 22 access from the local subnet. ... The problem is the packet arrives on 5000 and is natted to 22 ... (RedHat) Re: DNAT, Fedora, IPTABLES (very basic!) Help... ... > about DNAT and IPTABLES; I've had very informative replies on how to set ... > FIREWALL EXT INTERFACE: 65.222.35.249 ... > The root of the problem is that I need to OPEN port 80 on the Firewall ... First check if the webserver is running and listening on port 80. ... (comp.os.linux.networking) Re: Newbie- Port Forwarding -- does not work ... I was about to post a question about port forwarding when I saw this thread. ... I have apachee web server running on my Internet router machine. ... 8081 -j DNAT ... (alt.os.linux) Re: Remote Access ... Please rerun CEICW, this helps up configure network and websites ... On the Web Server Certificate page shows. ... http://ipaddress/remote to access RWW, type the public IP address in the ... that if SBS is behind a router, I need to configure the port forwarding ... (microsoft.public.windows.server.sbs)