[lug] iptables help

Lee Woodworth blug-mail at duboulder.com
Sun Oct 21 23:38:45 MDT 2012 

Then maybe its at lower level in the stack. I once had a case of disappearing
packets getting forwarded to a vm because of arp/arp proxy issues. Probably
time to use tcpdump.

On 10/21/12 14:14, Dan Ferris wrote:
> I think --to and --to-destination are the same thing.
> 
> I have forwarding turned on for all interfaces globally by doing echo 1 
>  > /proc/sys/net/ipv4/ip_forward
> 
> I don't have any rules in the forward chain of the filter table. There's 
> no point, it's set to globally accept.
> 
> Weird...
> 
> Dan
> 
> On 10/21/2012 12:44 AM, Lee Woodworth wrote:
>> 1) I've been using --to-destination in DNAT rules.
>>
>> 2) Does enabling forwarding on a pair of interfaces automatically cause packets
>>     between them to be forwarded? If not, then maybe you need forwards in
>>     the FORWARD chain of the filter table.
>>
>>     I happen to have:
>>
>>     /proc/sys/net/ipv4/conf/<if1>/forwarding = 1
>>     /proc/sys/net/ipv4/conf/<if2>/forwarding = 1
>>
>>     *filter
>>     -A FORWARD   -i <if1> -o <if2> -p tcp -d <int-addr> --dport <port> -j ACCEPT
>>     -A FORWARD   -i <if2> -o <if1> -p tcp -s <int-addr> --sport <port> -j ACCEPT
>>
>>     *nat
>>     -A PREROUTING -i <if1> -p tcp -d <ext-addr> --dport <port> -j DNAT
>> 	--to-destination <int-addr>:<port>
>>
>>     Which works in our environment.
>>
>>
>> On 10/20/12 22:59, Dan Ferris wrote:
>>> Does anyone know offhand why in the name of holy khutulu something this
>>> simple won't just work:
>>>
>>>    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
>>> 127.0.0.1:4443
>>>
>>> ip_forward is turned on.  I even added a route in the routing table:
>>>
>>> route -n
>>> Kernel IP routing table
>>> Destination     Gateway         Genmask         Flags Metric Ref Use Iface
>>> 0.0.0.0         192.168.108.1   0.0.0.0         UG    100 0        0 eth0
>>> 127.0.0.0       0.0.0.0         255.0.0.0       U     0 0        0 lo
>>> 192.168.108.0   0.0.0.0         255.255.252.0   U     0 0        0 eth0
>>>
>>> No firewall rules at all:
>>>
>>> Chain INPUT (policy ACCEPT 75M packets, 5387M bytes)
>>>    pkts bytes target     prot opt in     out     source destination
>>>
>>> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>>>    pkts bytes target     prot opt in     out     source destination
>>>
>>> Chain OUTPUT (policy ACCEPT 72M packets, 55G bytes)
>>>    pkts bytes target     prot opt in     out     source destination
>>>
>>> Yet no matter what I do, the process listening on lo never sees any of
>>> the redirected traffic.
>>>
>>> It's so irritating something so stupidly easy isn't working.  Not to
>>> mention I feel like an idiot.
>>>
>>> If anyone has some brilliant ideas, I'm open to suggestions.
>>>
>>> Dan
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

More information about the LUG mailing list