[ilugd] An iptables problem on Debian Etch (amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I used to connect to internet by PPPoE dialing to my ISP from my box (172.16.0.3). I wanted to DNAT TCP packets coming from external world on 9053 TCP port of ppp0 interface (which gets created a result of PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port 1203. The network service which I wanted to expose is listening on 172.16.0.3:1203 . For that I've created following iptables rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT But unfortunately above rules are not working as documented. I've then modified service to listen on same TCP port as exposed to external world, i.e. 9053 . And also modified iptables rules accordingly and it worked. Following are the new rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT I'm running Linux kernel version 2.6.18-5-amd64, can anyone tell what I'm doing wrong ? TIA Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHF+pHy+EEHYuXnQRAvgmAKCKcT/VMBCW2RA6zZMAlBYFAb9hJACgoqrK dviQXyQs4fAF5O3EB6Lwvlg= =hpAF -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
Hi All, I am planning to buy a laptop. Could any one suggest me which one is best in the market with the ease fof installation of Linux.. My budget is 35-40 K.. Thanks in advance.. Manmohan Sethi 9899482425 On 10/22/07, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I used to connect to internet by PPPoE dialing to my ISP from my box (172.16.0.3). I wanted to DNAT TCP packets coming from external world on 9053 TCP port of ppp0 interface (which gets created a result of PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port 1203. The network service which I wanted to expose is listening on 172.16.0.3:1203 . For that I've created following iptables rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT But unfortunately above rules are not working as documented. I've then modified service to listen on same TCP port as exposed to external world, i.e. 9053 . And also modified iptables rules accordingly and it worked. Following are the new rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT I'm running Linux kernel version 2.6.18-5-amd64, can anyone tell what I'm doing wrong ? TIA Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHF+pHy+EEHYuXnQRAvgmAKCKcT/VMBCW2RA6zZMAlBYFAb9hJACgoqrK dviQXyQs4fAF5O3EB6Lwvlg= =hpAF -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/ -- Regards Manmohan Sethi 9899485425 ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
On 10/22/07, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I used to connect to internet by PPPoE dialing to my ISP from my box (172.16.0.3). I wanted to DNAT TCP packets coming from external world on 9053 TCP port of ppp0 interface (which gets created a result of PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port 1203. The network service which I wanted to expose is listening on 172.16.0.3:1203 . Its not clear so I am assuming here that the service and the internet connection are on the same machine. For that I've created following iptables rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j EPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT The packets will hit the PREROUTING chain first and the dst port will be modified therefore in your INPUT chain rule you give port 1203. Also there is no need to use state module , because you need to open this port for NEW as well as ESTABLISHED packets. iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1203 -j ACCEPT Hint , use: iptables -t table-name -nvL chain-name , to debug which rules are being hit. But unfortunately above rules are not working as documented. I've then modified service to listen on same TCP port as exposed to external world, i.e. 9053 . And also modified iptables rules accordingly and it worked. Following are the new rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT I'm running Linux kernel version 2.6.18-5-amd64, can anyone tell what I'm doing wrong ? TIA Ashish Shukla ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ,--[ On Mon, Oct 22, 2007 at 09:14:02PM +0530, Jasbir Khehra wrote: | On 10/22/07, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: [...] | I used to connect to internet by PPPoE dialing to my ISP from my box | (172.16.0.3). I wanted to DNAT TCP packets coming from external world | on 9053 TCP port of ppp0 interface (which gets created a result of | PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port | 1203. | | The network service which I wanted to expose is listening on 172.16.0.3:1203 . | | Its not clear so I am assuming here that the service and the internet | connection are on the same machine. I think I mentioned that my box is at 172.16.0.3 and service is listening on 172.16.0.3:1203 :) . | For that I've created following iptables rules: | | iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j EPT | iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 | iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT | | The packets will hit the PREROUTING chain first and the dst port will | be modified therefore in your INPUT chain rule you give port 1203. | Also there is no need to use state module , because you need to open | this port for NEW as well as ESTABLISHED packets. | iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1203 -j ACCEPT Thanks for above explaination. I figured out, that I'm not accepting the new DNATted connection in INPUT chain. So I need to remove that -t filter -A FORWARD rule, and change it to -t filter -A NAT, as packets will reach FORWARD chain only when packets are destined for this host. :) Thanks Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHMzoHy+EEHYuXnQRAga5AKCmBkLqvXNRSaNAPzhqWGHypVcVLACfcld8 JA4uS+VlPTjEE+XuoDMHuUQ= =6IeV -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ,--[ On Mon, Oct 22, 2007 at 09:46:43PM +0530, आशीष शुक्ल Ashish Shukla wrote: | packets will reach FORWARD chain only when packets are destined for this s/ are / aren't / Sorry for the typo. Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHM7WHy+EEHYuXnQRAkeUAJ96fa/u3nTZ7PiYvVpIK5x5MxWXpgCfRZ3/ cV2gUjBn0/zNvt9dTG4NAR8= =HOme -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
