It sounds like you got bit by the same thing that bit me several months ago. Keep in mind that *all* NAT traffic has to pass through iptables. That means the requests from outside *and* the response from your webserver to the outside. That means for all DNATed boxes you need to SNAT them to the iptables box. Example:
# Forward incoming traffic on port 80 to 192.168.1.4 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.4 /sbin/iptables -t nat -A PREROUTING -p udp --dport 80 -j DNAT --to 192.168.1.4 # Send outgoing responses through the iptables box /sbin/iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d 192.168.1.4 -j SNAT --to-source 192.168.1.1 See if that helps. On Fri, 2002-04-26 at 04:47, Erik Schaberg wrote: > Hi all, > > I have a problem with iptables and hope one of you guru's can help me. > > I'm using redhat 7.2 and the iptables (version 1.2.3) that came with it. > Iptables works fine for packet filtering and SNAT but I cannot get DNAT > working. > > I have two linux boxes, connected with an ethernet card to each other > (192.168.1.0/24). One has also an adsl connection using a static > ipaddress (x.x.x.x/32). I use the adsl machine as firewall/workstation, > the other one is my webserver. I want to forward the http traffict from > the internet directed to my adsl ip address to the lan webserver. But > whatever I try, it timeouts. > > I read a number of iptables tutorials and FAQs, but I cannot find the > solution. I tried different sample iptables configurations, but all have > the DNAT problem on my system. > To test the DNAT principle/working I added another rule to my nat table. > This rule should redirect all http traffict from my workstation to a > random chosen ip address 222.222.222.222 to my lan-webserver. This way I > can test the priciple/working of DNAT without help from someone on the > internet to connect to my box. > This connection also timeouts. When I look at the tcpdump output on the > ethernet interface it looks to me as if the firewall resets the > connection while still in the 3-way handshake. > > This is my iptables nat configurations as shown with the command: > iptables -t nat -L: > (adsl-ip-address is the static ip address of the firewalls-adsl interface.) > <====start iptables output ==========> > Chain PREROUTING (policy ACCEPT) > target prot opt source destination DNAT > tcp -- anywhere adsl-ip-address tcp dpt:http state > NEW,RELATED,ESTABLISHED to:192.168.1.2 > DNAT tcp -- anywhere adsl-ip-address tcp dpt:http > to:192.168.1.2:80 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination SNAT > all -- anywhere anywhere to:adsl-ip-address > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination DNAT > tcp -- anywhere 222.222.222.222 tcp dpt:http > to:192.168.1.2 > <=========== end iptables output==========> > > > > This is the output of tcpdump when I'm connecting to > http://222.222.222.222/ from my workstation/firewall-box. (Rork-eth is > the lan interface of the firewall/workstation (ip-addresss 192.168.1.1). > Promethea is the lan interface (and hostname) of the webserver on the > lan (ip-address 192.168.1.2).) > <============ start tcp dump output=====> > 18:26:48.765293 Rork-eth0.datametrics > Promethea.http: S > 4139693190:4139693190(0) win 5840 <mss 1460,sackOK,timestamp 2036276 > 0,nop,wscale 0> (DF) > 18:26:48.765293 Promethea.http > Rork-eth0.datametrics: S > 3529853357:3529853357(0) ack 4139693191 win 5792 <mss > 1460,sackOK,timestamp 2524120 2034176,nop,wscale 0> (DF) > 18:26:48.765293 Rork-eth0.1024 > Promethea.http: R > 4139693191:4139693191(0) win 0 (DF) > 18:26:49.165293 Promethea.http > Rork-eth0.datametrics: S > 3529853357:3529853357(0) ack 4139693191 win 5792 <mss > 1460,sackOK,timestamp 2524161 2034176,nop,wscale 0> (DF) > 18:26:49.165293 Rork-eth0.1024 > Promethea.http: R > 4139693191:4139693191(0) win 0 (DF) > 18:27:13.365293 Promethea.http > Rork-eth0.datametrics: S > 3529853357:3529853357(0) ack 4139693191 win 5792 <mss > 1460,sackOK,timestamp 2526581 2034176,nop,wscale 0> (DF) > 18:27:13.365293 Rork-eth0.1024 > Promethea.http: R > 4139693191:4139693191(0) win 0 (DF) > 18:27:18.365293 arp who-has Promethea tell Rork-eth0 > 18:27:18.365293 arp reply Promethea is-at 0:60:8:72:5e:88 > <========end tcdump output====> > > How can I get dnat to work properly? > Can anybody help me? I don't know what the problem is? Is it my > configuration? Am I missing something obvious? > > Thanks in advance for your help, > > Erik > > > > > > >
