[lug] iptables help

Brian Talley b225ccc at gmail.com
Mon Oct 22 08:42:47 MDT 2012 

Are there any hits on the iptables rule?  You could also try to log any
hits to investigate more closely.  Or, as Lee mentioned, tcpdump.  The only
other thing that comes to mind at the moment is rp_filter
http://lartc.org/howto/lartc.kernel.html.

On Sun, Oct 21, 2012 at 3:14 PM, Dan Ferris <dan at usrsbin.com> wrote:

> I think --to and --to-destination are the same thing.
>
> I have forwarding turned on for all interfaces globally by doing echo 1
>  > /proc/sys/net/ipv4/ip_forward
>
> I don't have any rules in the forward chain of the filter table. There's
> no point, it's set to globally accept.
>
> Weird...
>
> Dan
>
> On 10/21/2012 12:44 AM, Lee Woodworth wrote:
> > 1) I've been using --to-destination in DNAT rules.
> >
> > 2) Does enabling forwarding on a pair of interfaces automatically cause
> packets
> >     between them to be forwarded? If not, then maybe you need forwards in
> >     the FORWARD chain of the filter table.
> >
> >     I happen to have:
> >
> >     /proc/sys/net/ipv4/conf/<if1>/forwarding = 1
> >     /proc/sys/net/ipv4/conf/<if2>/forwarding = 1
> >
> >     *filter
> >     -A FORWARD   -i <if1> -o <if2> -p tcp -d <int-addr> --dport <port>
> -j ACCEPT
> >     -A FORWARD   -i <if2> -o <if1> -p tcp -s <int-addr> --sport <port>
> -j ACCEPT
> >
> >     *nat
> >     -A PREROUTING -i <if1> -p tcp -d <ext-addr> --dport <port> -j DNAT
> >       --to-destination <int-addr>:<port>
> >
> >     Which works in our environment.
> >
> >
> > On 10/20/12 22:59, Dan Ferris wrote:
> >> Does anyone know offhand why in the name of holy khutulu something this
> >> simple won't just work:
> >>
> >>    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to
> >> 127.0.0.1:4443
> >>
> >> ip_forward is turned on.  I even added a route in the routing table:
> >>
> >> route -n
> >> Kernel IP routing table
> >> Destination     Gateway         Genmask         Flags Metric Ref Use
> Iface
> >> 0.0.0.0         192.168.108.1   0.0.0.0         UG    100 0        0
> eth0
> >> 127.0.0.0       0.0.0.0         255.0.0.0       U     0 0        0 lo
> >> 192.168.108.0   0.0.0.0         255.255.252.0   U     0 0        0 eth0
> >>
> >> No firewall rules at all:
> >>
> >> Chain INPUT (policy ACCEPT 75M packets, 5387M bytes)
> >>    pkts bytes target     prot opt in     out     source destination
> >>
> >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> >>    pkts bytes target     prot opt in     out     source destination
> >>
> >> Chain OUTPUT (policy ACCEPT 72M packets, 55G bytes)
> >>    pkts bytes target     prot opt in     out     source destination
> >>
> >> Yet no matter what I do, the process listening on lo never sees any of
> >> the redirected traffic.
> >>
> >> It's so irritating something so stupidly easy isn't working.  Not to
> >> mention I feel like an idiot.
> >>
> >> If anyone has some brilliant ideas, I'm open to suggestions.
> >>
> >> Dan
> >> _______________________________________________
> >> Web Page:  http://lug.boulder.co.us
> >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >> Join us on IRC: irc.hackingsociety.org port=6667
> channel=#hackingsociety
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>



-- 
Brian Talley
b225ccc at gmail.com ::: (720) 675-7781 <https://www.google.com/voice/#phones>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20121022/a405d331/attachment.html>

More information about the LUG mailing list