Hi all, I have a problem with iptables and hope one of you guru's can help me.
I'm using redhat 7.2 and the iptables (version 1.2.3) that came with it. Iptables works fine for packet filtering and SNAT but I cannot get DNAT working. I have two linux boxes, connected with an ethernet card to each other (192.168.1.0/24). One has also an adsl connection using a static ipaddress (x.x.x.x/32). I use the adsl machine as firewall/workstation, the other one is my webserver. I want to forward the http traffict from the internet directed to my adsl ip address to the lan webserver. But whatever I try, it timeouts. I read a number of iptables tutorials and FAQs, but I cannot find the solution. I tried different sample iptables configurations, but all have the DNAT problem on my system. To test the DNAT principle/working I added another rule to my nat table. This rule should redirect all http traffict from my workstation to a random chosen ip address 222.222.222.222 to my lan-webserver. This way I can test the priciple/working of DNAT without help from someone on the internet to connect to my box. This connection also timeouts. When I look at the tcpdump output on the ethernet interface it looks to me as if the firewall resets the connection while still in the 3-way handshake. This is my iptables nat configurations as shown with the command: iptables -t nat -L: (adsl-ip-address is the static ip address of the firewalls-adsl interface.) <====start iptables output ==========> Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere adsl-ip-address tcp dpt:http state NEW,RELATED,ESTABLISHED to:192.168.1.2 DNAT tcp -- anywhere adsl-ip-address tcp dpt:http to:192.168.1.2:80 Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- anywhere anywhere to:adsl-ip-address Chain OUTPUT (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere 222.222.222.222 tcp dpt:http to:192.168.1.2 <=========== end iptables output==========> This is the output of tcpdump when I'm connecting to http://222.222.222.222/ from my workstation/firewall-box. (Rork-eth is the lan interface of the firewall/workstation (ip-addresss 192.168.1.1). Promethea is the lan interface (and hostname) of the webserver on the lan (ip-address 192.168.1.2).) <============ start tcp dump output=====> 18:26:48.765293 Rork-eth0.datametrics > Promethea.http: S 4139693190:4139693190(0) win 5840 <mss 1460,sackOK,timestamp 2036276 0,nop,wscale 0> (DF) 18:26:48.765293 Promethea.http > Rork-eth0.datametrics: S 3529853357:3529853357(0) ack 4139693191 win 5792 <mss 1460,sackOK,timestamp 2524120 2034176,nop,wscale 0> (DF) 18:26:48.765293 Rork-eth0.1024 > Promethea.http: R 4139693191:4139693191(0) win 0 (DF) 18:26:49.165293 Promethea.http > Rork-eth0.datametrics: S 3529853357:3529853357(0) ack 4139693191 win 5792 <mss 1460,sackOK,timestamp 2524161 2034176,nop,wscale 0> (DF) 18:26:49.165293 Rork-eth0.1024 > Promethea.http: R 4139693191:4139693191(0) win 0 (DF) 18:27:13.365293 Promethea.http > Rork-eth0.datametrics: S 3529853357:3529853357(0) ack 4139693191 win 5792 <mss 1460,sackOK,timestamp 2526581 2034176,nop,wscale 0> (DF) 18:27:13.365293 Rork-eth0.1024 > Promethea.http: R 4139693191:4139693191(0) win 0 (DF) 18:27:18.365293 arp who-has Promethea tell Rork-eth0 18:27:18.365293 arp reply Promethea is-at 0:60:8:72:5e:88 <========end tcdump output====> How can I get dnat to work properly? Can anybody help me? I don't know what the problem is? Is it my configuration? Am I missing something obvious? Thanks in advance for your help, Erik
