From: Dominik Klein (dkin-telegence.net)
Date: Wed Jan 04 2006 - 06:42:34 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The only thing I think could be wrong is the order of rules in a PREROUTING or
> FORWARD chain. If you match packets by another, earlier rule and decide their
> fate there, they will never reach your DNAT or FORWARD rules.
>
> Try
>
> iptables -L -vnx -t nat
> iptables -L -vnx
>
> to see how many packets match your DNAT and FORWARD rules when you try to
> telnet to router's port 443 from the eth0 interface. If there are none, you
> are likely matching them before...

I did that and it looks good. When I start 3 requests, the appropriate
rules get 3 more packets.

I also did some tethereal observation on the router, the webserver, my
local machine and the firewall in between.

The router gets the request, PREROUTING changes the DST to what I want
it to, FORWARD sends it to the webserver.
The webserver gets the request, sends out a SYN-ACK, this is FORWARDed
by the router, but it never reaches my firewall and therefor my local
machine.

So i assume it is some routing that is messed up.

Is the following list chronilogically correct?
request from $local
SRC=$local DST=$router DPORT=443
iptables PREROUTING
SRC=$local DST=$web $DPORT=80
iptables FORWARD
reply from webserver
SRC=$web DST=$local $DPORT=$somehighport
iptables FORWARD
iptables NAT
SRC=$router DST=$local DPORT=$somehighport

 From what I know, this is how it should and seems to work.

So at what point does routing and ip rules come into play here?

Thanks for the help,
Dominik

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]