Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] iptables: DNAT from port x to port y
From: Dominik Klein (dkin-telegence.net)
Date: Wed Jan 04 2006 - 06:42:34 CST
> The only thing I think could be wrong is the order of rules in a PREROUTING or
> FORWARD chain. If you match packets by another, earlier rule and decide their
> fate there, they will never reach your DNAT or FORWARD rules.
> iptables -L -vnx -t nat
> iptables -L -vnx
> to see how many packets match your DNAT and FORWARD rules when you try to
> telnet to router's port 443 from the eth0 interface. If there are none, you
> are likely matching them before...
I did that and it looks good. When I start 3 requests, the appropriate
rules get 3 more packets.
I also did some tethereal observation on the router, the webserver, my
local machine and the firewall in between.
The router gets the request, PREROUTING changes the DST to what I want
it to, FORWARD sends it to the webserver.
The webserver gets the request, sends out a SYN-ACK, this is FORWARDed
by the router, but it never reaches my firewall and therefor my local
So i assume it is some routing that is messed up.
Is the following list chronilogically correct?
request from $local
SRC=$local DST=$router DPORT=443
SRC=$local DST=$web $DPORT=80
reply from webserver
SRC=$web DST=$local $DPORT=$somehighport
SRC=$router DST=$local DPORT=$somehighport
From what I know, this is how it should and seems to work.
So at what point does routing and ip rules come into play here?
Thanks for the help,
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here