[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: port forwarding to web server with different netmask than default netmask.
From: xavier droubay <xavier.droubay () gmail ! com>
Date: 2013-04-28 3:11:27
Message-ID: CAHyoP5wSne5W_ufVD8OzVmsH=eFrXon-uoDrohT_yCAyrkmEcg () mail ! gmail ! com
[Download RAW message or body]
have the following config.
Internet ----(WAN)- pfsense -(DMZ)------(eth0)- COOVA Hostpot box
-(eth1)----WIFI + AP Zone
I configured pfsense to forward 8001 to 172.1.1.1 port 8001
eth0 : 172.1.1.1/248
eth1 : 10.0.0.1/16
My pbm is to port forward port 8001 to several WEB servers APS.
All my APs have /24 netmask, ie 10.127.127.11/24
On the coova, I defined alias eth1:AP1 to 10.127.127.251/24 in order
to ping the AP1 (no ping without this alias)
nmap -sT 10.127.127.11 -p 80
PORT STATE SERVICE
80/tcp open http
And to confirm, "lynx 10.127.127.11" is ok
But I cannot reach AP1 from internet.
tcpdump shows www queries reaching eth1, but ther is no www answer from the AP1.
# tcpdump -i eth1 'host 10.127.127.11'
04:23:40.647819 ARP, Request who-has 10.127.127.11 tell 10.127.0.1, length 28
04:23:40.648375 ARP, Reply 10.127.127.11 is-at c0:c1:c0:1a:7a:e1 (oui
Unknown), length 46
04:23:40.648387 IP myhomeip.org.53874 > 10.127.127.11.www: Flags [S],
seq 3716296767, win 8192, options [mss 1352,nop,wscale 2,sackOK,TS val
14138801 ecr 0], length 0
...
04:23:49.647643 IP myhomeip.org.53874 > 10.127.127.11.www: Flags [S],
seq 3716296767, win 8192, options [mss 1352,sackOK,TS val 14139701 ecr
0], length 0
04:23:49.897440 IP myhomeip.org.42759 > 10.127.127.11.www: Flags [S],
seq 1470074896, win 8192, options [mss 1352,sackOK,TS val 14139726 ecr
0], length 0
04:24:13.331817 ARP, Request who-has 10.127.127.11 tell 10.127.0.1, length 28
04:24:13.332183 ARP, Reply 10.127.127.11 is-at c0:c1:c0:1a:7a:e1 (oui
Unknown), length 46
04:24:17.329358 IP myhomeip.org.51567 > 10.127.127.11.www: Flags [S],
seq 2987723356, win 8192, options [mss 1352,sackOK,TS val 14142469 ecr
0], length 0
...
For me problem in port forwarding comes from the AP1 netmask set to
"24" while default netmask is "16".
I am at the end of my tests.
Any help is appreciated.
Regards,
Xavier Droubay
Here are below netfiler rules :
# iptables -L -n -v -t filter
Chain INPUT (policy ACCEPT 373K packets, 53M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
801K 44M TCPMSS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
21M 4405M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
31M 37G ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.127.127.0/24 tcp dpt:8011
Chain OUTPUT (policy ACCEPT 310K packets, 44M bytes)
pkts bytes target prot opt in out source destination
# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 758K packets, 59M bytes)
pkts bytes target prot opt in out source destination
103 6180 DNAT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:8011 to:10.127.127.11:80
Chain POSTROUTING (policy ACCEPT 7872 packets, 330K bytes)
pkts bytes target prot opt in out source destination
238K 18M MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 107K packets, 6925K bytes)
pkts bytes target prot opt in out source destination
root@baltimo-radius:~#
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic