Re: weird Iptables problem

• Previous message: Jani Mikkonen: "Re: httpd error log"
• In reply to: AY Xu: "weird Iptables problem"
• Next in thread: AY Xu: "Re: weird Iptables problem"
• Reply: AY Xu: "Re: weird Iptables problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Aug 2005 22:19:19 +0200

AY Xu wrote:
> RHEL3, Iptables 1.2.8-12. Two network interfaces(eth0 202.158.174.62,
> eth1 192.168.0.9). Web server runs at 192.168.0.6, on port 80. Domain
> www.chiaotai.com, DNS query to 202.158.174.62(FQDN).
>
> ------------- iptables script(part)--------------------------------
> #!/bin/bash
> ipt=/sbin/iptables
> $ipt -F
> $ipt -X
> $ipt -Z
> $ipt -t nat -F
>
> IF="eth+"
> INTIF="eth1"
> EXTIF="eth0"
> IPADDR="202.158.174.62/32"
> ## DNAT for Applications
> # Web Server at port 80
> $ipt -t nat -A PREROUTING -i $EXTIF -d $IPADDR -p tcp --dport 80 \
> -j DNAT --to 192.168.0.6:80
> ....skip...
> ------------- iptables script(part)--------------------------------
> I fail to access www.chiaotai.com from internet, and get bellow dump on
> LINUX:
> ------------------------------
> [root@mail etc]# tcpdump -i eth0 port 80 -n
> tcpdump: listening on eth0
> 00:01:21.268141 222.69.230.70.1499 > 202.158.174.62.http: S
> 3071094721:3071094721(0) win 64240 <mss 1452,nop,nop,sackOK> (DF) [tos
> 0x60]
> 00:01:24.115554 222.69.230.70.1499 > 202.158.174.62.http: S
> 3071094721:3071094721(0) win 64240 <mss 1452,nop,nop,sackOK> (DF) [tos
> 0x60]
> 00:01:30.125042 222.69.230.70.1499 > 202.158.174.62.http: S
> 3071094721:3071094721(0) win 64240 <mss 1452,nop,nop,sackOK> (DF) [tos
> 0x60]
> ------------------------------
> But if change iptables scripts to:
> $ipt -t nat -A PREROUTING -i $EXTIF -d $IPADDR -p tcp --dport 10080 -j
> DNAT --to 192.168.0.6:10080
> (Sure change IIS port from 80 to 10080)
> Then access address at www.chiaotai.com:10080, all is okay. Run
> "netstat -an", no application takes up port 80.
>
>>>From the tcpdump outputs, it looks like packets to dport 80 on eth0
> were not forwarded to 192.168.0.6. But if change port to 10080, it's
> okay! Don't know why, can anybody explain this?
>
> Thanks for any help
>
> Xu Zuoyin
>

Hi Xu,

this is tricky. seems like your iptables script does not want incoming
or forwarding traffic at port 80 to your webserver.

your tcpdump doesn't really help.

plz provide more information about your iptables config.

Eric

• Previous message: Jani Mikkonen: "Re: httpd error log"
• In reply to: AY Xu: "weird Iptables problem"
• Next in thread: AY Xu: "Re: weird Iptables problem"
• Reply: AY Xu: "Re: weird Iptables problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Access to the servers from outside ... the first line shows us that port 80 is listening on ... > run the tcpdump command to see if we're actually receiving the TCP ... > We're definitely seeing the connection from the client, ... Let's focus on the firewall. ... (RedHat) Re: Setting up VPN using CIPE -Reg ... iptraf and tcpdump are your friends: ... > the IP numbers both do not give any cipcb0 port listening. ... I hope you have a firewall that is blocking everything BUT the correct ... maybe your firewall is blocking the packets. ... (comp.os.linux.networking) Re: pf and citrix ica ... Here is a capture of my inside interface ... (I have replaced the name of the actual citrix server): ... tcpdump: listening on fxp0, link-type EN10MB ... (comp.security.firewalls) Re: recent current panic ... >listening on lo0 ... You can revert to version 1.28 of net/bpf.h if you need tcpdump on lo, ... (freebsd-current) traceroute/udp issue ... The Traceroute ... tcpdump: listening on ed1 ... Router during traceroute ... (freebsd-questions)