[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-security
Subject:    Re: iptables problem
From:       Geoff <geoff.crompton () bjhcontrols ! com ! au>
Date:       2004-10-19 22:40:34
Message-ID: 417597E1.4070006 () bjhcontrols ! com ! au
[Download RAW message or body]

Thiago Ribeiro wrote:
> Hello,
> 
> I have any problems with DNAT iptables. I'm redirecting my external http
> port to remote host. I have 8 networks, beginning with 192.168.1-8. 
> My remote machine and destination is 192.168.5.2 and all networks
> excluding 192.168.5.0/24 can navigate in this.
> When I'm running tcpdump or some similar to see the actions wich network
> 5's someone is making on external IP, is done nothing. Follow the rule:
> 
> -A PREROUTING -d 200.210.101.37 -p tcp -m tcp --dport 80 -j DNAT --to
> 192.168.5.2:80
> 
> I'm using network 7's address and the redirecting is perfect. Only
> network 5 can't to do this.

It is possible the packets from 192.168.5.x are succesfully going to the 
router, then succesfully being DNAT redirected to 192.168.5.2, but the 
returning packets are getting mis directed.
I have seen this happen before, and what might be happening is that 
192.168.5.2 sees the source IP address in the incoming packets of 
192.168.5.x, and so sends packets directly back to that machine. This 
means that the returning packet doesn't go back through the router, so 
the DNAT translation cannot be 'undone'. In the end the 192.168.5.x 
machine gets TCP packets from 192.168.5.2 when it was expecting them to 
come back from 200.210.101.37. Hence the 192.168.5.x machine rejects 
them, probably sending an ICMP packet back to 192.168.5.2 indicating an 
error. Use of a packet sniffing program will tell you if this is occuring.

   Geoff Crompton


-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

[prev in list] [next in list] [prev in thread] [next in thread]