[CLUE-Tech] iptables NAT question on RedHat 7.1
Kirk Brownlee
kirk.brownlee at softprowest.com
Tue Oct 16 10:04:00 MDT 2001
If I am reading this correct your Win98 machine would not even
cross your firewall it would be straight across your HUB what
I think you need to look at is if your DNS Table or Hosts file
and make sure your computer name is mapped to your IP.
Kirk Brownlee
kdbrownlee at softprowest.com
-----Original Message-----
From: jason at matchingmoms.com [mailto:jason at matchingmoms.com]
Sent: Monday, October 15, 2001 10:36 PM
To: clue-tech at clue.denver.co.us
Subject: [CLUE-Tech] iptables NAT question on RedHat 7.1
Am grateful for any help . . .
I am trying to access my Linux web server from my Win98 client by running
through my Linux firewall (192.168.0.4). However, when I attempt to do so,
I get a "There was no response. The server could be down or not responding"
from the Win98 client. When I enter 192.168.0.200 directly I see the web
page fine.
Here's my physical setup:
------------------
| |
| |
| |
| Win98 client |
| |
------------------
|
eth0 (192.168.0.101)
Internet here |
(eventually) |
| |
| |
| |
| |
eth1 (192.168.0.4)--------| |
| | |
------------------ | ------------------
| | -------| |
| Linux | | |
| | | Hub |
| firewall | | |
| | -------| |
------------------ | ------------------
| | |
eth0 (192.168.0.111)------| |
|
|
|
|
|
eth0 (192.168.0.200)
|
------------------
| |
| Linux |
| http/smtp |
| server |
| |
------------------
----------------------------------------------------------------------------
----------
Here's my firewall setup:
Flushing existing chains
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -t nat -F
Setting default policy ACCEPT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
Setting up logging
/sbin/iptables -A INPUT --source ! 127.0.0.1 --protocol tcp --source-port !
telnet --destination-port ! telnet --jump LOG --log-prefix net log entry
/sbin/iptables -A OUTPUT --source ! 127.0.0.1 --protocol tcp --source-port !
telnet --destination-port ! telnet --jump LOG --log-prefix net log entry
/sbin/iptables -A FORWARD --source ! 127.0.0.1 --protocol tcp --source-port
! telnet --destination-port ! telnet --jump LOG --log-prefix net log entry
Enable outgoing NAT
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.0.4
Enable incoming NAT
/sbin/iptables -t nat -A PREROUTING -p TCP -i eth1 -d 192.168.0.4 --dport
25 -j DNAT --to-destination 192.168.0.200:25
/sbin/iptables -t nat -A PREROUTING -p TCP -i eth1 -d 192.168.0.4 --dport
80 -j DNAT --to-destination 192.168.0.200:80
/sbin/iptables -t nat -A PREROUTING -p TCP -i eth1 -d 192.168.0.4 --dport
110 -j DNAT --to-destination 192.168.0.200:110
Done.
Chain INPUT (policy ACCEPT 1 packets, 40 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * !127.0.0.1
0.0.0.0/0 tcp spt:!23 dpt:!23 LOG flags 0 level 4 prefix `net log
entry '
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * !127.0.0.1
0.0.0.0/0 tcp spt:!23 dpt:!23 LOG flags 0 level 4 prefix `net log
entry '
Chain OUTPUT (policy ACCEPT 1 packets, 861 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG tcp -- * * !127.0.0.1
0.0.0.0/0 tcp spt:!23 dpt:!23 LOG flags 0 level 4 prefix `net log
entry '
Chain PREROUTING (policy ACCEPT 36 packets, 2256 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- eth1 * 0.0.0.0/0
192.168.0.4 tcp dpt:25 to:192.168.0.200:25
0 0 DNAT tcp -- eth1 * 0.0.0.0/0
192.168.0.4 tcp dpt:80 to:192.168.0.200:80
0 0 DNAT tcp -- eth1 * 0.0.0.0/0
192.168.0.4 tcp dpt:110 to:192.168.0.200:110
Chain POSTROUTING (policy ACCEPT 19 packets, 1064 bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * eth1 0.0.0.0/0
0.0.0.0/0 to:192.168.0.4
Chain OUTPUT (policy ACCEPT 10 packets, 632 bytes)
pkts bytes target prot opt in out source
destination
---------------------------------------------------------------------------
After trying to access web server through firewall:
---------------------------------------------------------------------------
root at julia /home/generic $ tail /var/log/messages
Oct 16 04:29:34 julia kernel: net log entry IN=eth0 OUT=
MAC=00:04:5a:55:87:e7:00:a0:cc:7c:11:05:08:00 SRC=192.168.0.101
DST=192.168.0.4 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=32017 DF PROTO=TCP
SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 16 04:29:34 julia kernel: net log entry IN= OUT=eth0 SRC=192.168.0.4
DST=192.168.0.101 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=TCP SPT=80
DPT=1382 WINDOW=0 RES=0x00 ACK RST URGP=0
Oct 16 04:29:35 julia kernel: net log entry IN=eth1 OUT=eth0
SRC=192.168.0.101 DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=32273 DF PROTO=TCP SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 16 04:29:41 julia kernel: net log entry IN=eth1 OUT=eth0
SRC=192.168.0.101 DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=32785 DF PROTO=TCP SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
Oct 16 04:29:53 julia kernel: net log entry IN=eth1 OUT=eth0
SRC=192.168.0.101 DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127
ID=43025 DF PROTO=TCP SPT=1382 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
root at julia /home/generic $ iptables -L -t nat -nv
Chain PREROUTING (policy ACCEPT 37 packets, 2304 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- eth1 * 0.0.0.0/0
192.168.0.4 tcp dpt:25 to:192.168.0.200:25
1 48 DNAT tcp -- eth1 * 0.0.0.0/0
192.168.0.4 tcp dpt:80 to:192.168.0.200:80
0 0 DNAT tcp -- eth1 * 0.0.0.0/0
192.168.0.4 tcp dpt:110 to:192.168.0.200:110
Chain POSTROUTING (policy ACCEPT 20 packets, 1112 bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * eth1 0.0.0.0/0
0.0.0.0/0 to:192.168.0.4
Chain OUTPUT (policy ACCEPT 10 packets, 632 bytes)
pkts bytes target prot opt in out source
destination
_______________________________________________
CLUE-Tech mailing list
CLUE-Tech at clue.denver.co.us
http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list