No subject
Thu Dec 20 21:04:13 MST 2007
TCP doesn't do that. The browser can't associate the reply with the request so
it drops it (sends a reset to kill the connection). If you look at your logs on
the server you should see this.
So, right now the firewall does DNAT on packets from eth1 to eth0 and SNAT on
packets from eth0 to eth1. To get the first picture above, you also need to add
SNAT from eth1 to eth0. I think that will work, but since there is still a path
around the router, you may still get erroneous results (again, I assume that the
ultimate goal is to move eth1 from the hub to the Internet, in which case there
won't be a path around the firewall). Take a look at this:
http://netfilter.samba.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc-10.html
> Here's what I think might be a useful log file. It's generated when I type
> 192.168.0.4 into my browser from 192.168.0.101.
Good, I guessed right on which chains generated which entries.
> Oct 20 04:06:46 julia kernel: IP INPUT: IN=eth0 OUT=
> MAC=00:04:5a:55:87:e7:00:a0:cc:7c:11:05:08:00 SRC=192.168.0.101
> DST=192.168.0.4
> LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=61456 DF PROTO=TCP SPT=1092 DPT=80
> WINDOW=8192 RES=0x00 SYN URGP=0
This is the original packet from the browser, to port 80 on the firewall. I
don't know why this shows up on your INPUT chain. It should get DNATed to the
server in the PREROUTING chain and then go to the FORWARD chain.
Do you have IP forwarding enabled? Look at /proc/sys/net/ipv4/ip_forward (use
cat) - it should contain a 1. If not, you can enable it with echo 1 >
/proc/sys/net/ipv4/ip_forward.
> Oct 20 04:06:46 julia kernel: IP OUTPUT: IN= OUT=eth0 SRC=192.168.0.4
> DST=192.168.0.101 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PR
> OTO=TCP SPT=80 DPT=1092 WINDOW=0 RES=0x00 ACK RST URGP=0
This is a reset packet from the firewall in response to the first packet. The
firewall doesn't have any processes listening to port 80 so it sends the reset.
(It shouldn't get any traffic on port 80 if your DNAT was working.)
> Oct 20 04:06:47 julia kernel: IP FORWARD: IN=eth1 OUT=eth0 SRC=192.168.0.101
> DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=
> 61712 DF PROTO=TCP SPT=1092 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>
> Oct 20 04:06:53 julia kernel: IP FORWARD: IN=eth1 OUT=eth0 SRC=192.168.0.101
> DST=192.168.0.200 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=
> 62224 DF PROTO=TCP SPT=1092 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
These 2 packets are from the browser and have been DNATed (DST=192.168.0.200).
More information about the clue-tech
mailing list