[lug] iptables help

Dan Ferris dan at usrsbin.com
Mon Oct 22 11:01:40 MDT 2012 

There are hits on the rule.  I tried turning off rp_filter and still no 
dice.

tcpdump shows traffic coming in on eth0 but nothing on lo.

Dan

On 10/22/2012 8:42 AM, Brian Talley wrote:
> Are there any hits on the iptables rule?  You could also try to log 
> any hits to investigate more closely.  Or, as Lee mentioned, tcpdump. 
>  The only other thing that comes to mind at the moment is rp_filter 
> http://lartc.org/howto/lartc.kernel.html.
>
> On Sun, Oct 21, 2012 at 3:14 PM, Dan Ferris <dan at usrsbin.com 
> <mailto:dan at usrsbin.com>> wrote:
>
>     I think --to and --to-destination are the same thing.
>
>     I have forwarding turned on for all interfaces globally by doing
>     echo 1
>      > /proc/sys/net/ipv4/ip_forward
>
>     I don't have any rules in the forward chain of the filter table.
>     There's
>     no point, it's set to globally accept.
>
>     Weird...
>
>     Dan
>
>     On 10/21/2012 12:44 AM, Lee Woodworth wrote:
>     > 1) I've been using --to-destination in DNAT rules.
>     >
>     > 2) Does enabling forwarding on a pair of interfaces
>     automatically cause packets
>     >     between them to be forwarded? If not, then maybe you need
>     forwards in
>     >     the FORWARD chain of the filter table.
>     >
>     >     I happen to have:
>     >
>     >     /proc/sys/net/ipv4/conf/<if1>/forwarding = 1
>     >     /proc/sys/net/ipv4/conf/<if2>/forwarding = 1
>     >
>     >     *filter
>     >     -A FORWARD   -i <if1> -o <if2> -p tcp -d <int-addr> --dport
>     <port> -j ACCEPT
>     >     -A FORWARD   -i <if2> -o <if1> -p tcp -s <int-addr> --sport
>     <port> -j ACCEPT
>     >
>     >     *nat
>     >     -A PREROUTING -i <if1> -p tcp -d <ext-addr> --dport <port>
>     -j DNAT
>     >       --to-destination <int-addr>:<port>
>     >
>     >     Which works in our environment.
>     >
>     >
>     > On 10/20/12 22:59, Dan Ferris wrote:
>     >> Does anyone know offhand why in the name of holy khutulu
>     something this
>     >> simple won't just work:
>     >>
>     >>    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j
>     DNAT --to
>     >> 127.0.0.1:4443 <http://127.0.0.1:4443>
>     >>
>     >> ip_forward is turned on.  I even added a route in the routing
>     table:
>     >>
>     >> route -n
>     >> Kernel IP routing table
>     >> Destination     Gateway         Genmask Flags Metric Ref Use Iface
>     >> 0.0.0.0         192.168.108.1   0.0.0.0 UG    100 0        0 eth0
>     >> 127.0.0.0       0.0.0.0         255.0.0.0       U     0 0      
>      0 lo
>     >> 192.168.108.0   0.0.0.0         255.255.252.0   U     0 0      
>      0 eth0
>     >>
>     >> No firewall rules at all:
>     >>
>     >> Chain INPUT (policy ACCEPT 75M packets, 5387M bytes)
>     >>    pkts bytes target     prot opt in     out source destination
>     >>
>     >> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>     >>    pkts bytes target     prot opt in     out source destination
>     >>
>     >> Chain OUTPUT (policy ACCEPT 72M packets, 55G bytes)
>     >>    pkts bytes target     prot opt in     out source destination
>     >>
>     >> Yet no matter what I do, the process listening on lo never sees
>     any of
>     >> the redirected traffic.
>     >>
>     >> It's so irritating something so stupidly easy isn't working.
>      Not to
>     >> mention I feel like an idiot.
>     >>
>     >> If anyone has some brilliant ideas, I'm open to suggestions.
>     >>
>     >> Dan
>     >> _______________________________________________
>     >> Web Page: http://lug.boulder.co.us
>     >> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>     >> Join us on IRC: irc.hackingsociety.org
>     <http://irc.hackingsociety.org> port=6667 channel=#hackingsociety
>     > _______________________________________________
>     > Web Page: http://lug.boulder.co.us
>     > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>     > Join us on IRC: irc.hackingsociety.org
>     <http://irc.hackingsociety.org> port=6667 channel=#hackingsociety
>
>     _______________________________________________
>     Web Page: http://lug.boulder.co.us
>     Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>     Join us on IRC: irc.hackingsociety.org
>     <http://irc.hackingsociety.org> port=6667 channel=#hackingsociety
>
>
>
>
> -- 
> Brian Talley
> b225ccc at gmail.com <mailto:b225ccc at gmail.com> ::: (720) 675-7781 
> <https://www.google.com/voice/#phones>
>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20121022/256aa6cc/attachment.html>

More information about the LUG mailing list