Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
vserver: SNAT not working?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
thinking
n00b
n00b


Joined: 22 May 2005
Posts: 46

PostPosted: Fri May 18, 2007 7:09 pm    Post subject: vserver: SNAT not working? Reply with quote

hiho@ll

i try to configure my firewall to connect to a vserver which hosts apache on port 80

a DSL Router provides the internet connection
the server hosting the vserver has on eth0 the ip 192.168.0.3
my vserver has a dummy0 interface with ip 192.168.1.1 and apache running on port 80
first i created the following firewall.sh which should setup the iptables for my needs
Quote:

IPTABLES=/sbin/iptables

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -t nat -A PREROUTING --destination 192.168.0.3 -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80

$IPTABLES -A INPUT -d 192.168.1.1 -p tcp -j LOG --log-level info --log-prefix "IPTABLES input"
$IPTABLES -A OUTPUT -s 192.168.1.1 -p tcp -j LOG --log-level info --log-prefix "IPTABLES output"

this works if i point my browser from another host within my LAN to http://192.168.0.3/

but if i try to connect from the internet i get this log entries 3 times (cause firefox seems to try 3 connects)
Quote:

May 18 22:25:57 hostname IPTABLES inputIN=eth0 OUT= MAC=SOMEMAC SRC=MYWANIP DST=192.168.1.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=19587 DF PROTO=TCP SPT=1614 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
May 18 22:25:57 hostname IPTABLES outputIN= OUT=eth0 SRC=192.168.1.1 DST=MYWANIP LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=1614 WINDOW=5840 RES=0x00 ACK SYN URGP=0

using tcpdump on eth0 i get:
Quote:

22:28:32.735189 IP MYWANIP.1617 > 192.168.0.3.80: S 3812199362:3812199362(0) win 65535 <mss 1260,nop,nop,sackOK>
22:28:32.739377 arp who-has MYWANIP tell 192.168.0.3
22:28:33.739437 arp who-has MYWANIP tell 192.168.0.3
22:28:34.739488 arp who-has MYWANIP tell 192.168.0.3
22:28:35.719114 IP MYWANIP.1617 > 192.168.0.3.80: S 3812199362:3812199362(0) win 65535 <mss 1260,nop,nop,sackOK>
22:28:41.738067 IP MYWANIP.1617 > 192.168.0.3.80: S 3812199362:3812199362(0) win 65535 <mss 1260,nop,nop,sackOK>
22:28:41.739956 arp who-has MYWANIP tell 192.168.0.3
22:28:42.740001 arp who-has MYWANIP tell 192.168.0.3
22:28:43.740062 arp who-has MYWANIP tell 192.168.0.3

using tcpdump on lo i get:
Quote:

22:41:05.038425 IP 192.168.0.3 > 192.168.1.1: ICMP host MYWANIP unreachable, length 56
22:41:05.038425 IP 192.168.0.3 > 192.168.1.1: ICMP host MYWANIP unreachable, length 56
22:41:05.038425 IP 192.168.0.3 > 192.168.1.1: ICMP host MYWANIP unreachable, length 56


i think i just have to few networking experience to solve this by my own, altough i'm pretty sure this is a simple problem
so the question's are:
what's the problem?
any ideas how to solve?

edit:
i added masquerading to my firewall.sh
Quote:

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

i also tried a connect from the vserver to google.com:80 and i got this
Quote:

httpd htdocs # telnet google.com 80
Trying 64.233.167.99...
Trying 64.233.187.99...
Trying 72.14.207.99...
telnet: Unable to connect to remote host: No route to host
httpd htdocs # ping google.com
PING google.com (72.14.207.99) 56(84) bytes of data.
From 192.168.0.3 icmp_seq=1 Destination Host Unreachable
From 192.168.0.3 icmp_seq=2 Destination Host Unreachable
From 192.168.0.3 icmp_seq=3 Destination Host Unreachable

--- google.com ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4132ms
, pipe 3

as far as i understand i have to add a "route" on my host (not the vserver)
Quote:

myhost / # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 dummy0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0


thx@ll
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum