Re: NAT and IPTABLES problem

To: chindea mihai <misubs24@yahoo.com>
Cc: debian-amd64@lists.debian.org
Subject: Re: NAT and IPTABLES problem
From: Bonnel Christophe <mage.tophinus@free.fr>
Date: Wed, 02 Apr 2008 07:12:24 +0200
Message-id: <[🔎] 47F315B8.6070903@free.fr>
In-reply-to: <[🔎] 118915.86132.qm@web54110.mail.re2.yahoo.com>
References: <[🔎] 118915.86132.qm@web54110.mail.re2.yahoo.com>

It seems that your firewall is ok but he don't receive feedback fromwhat the laptop asks :

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out sourcedestination19 1140 ACCEPT 0 -- eth2 eth1 192.168.5.0/240.0.0.0/00 0 ACCEPT 0 -- * * 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED0 0 LOG 0 -- * eth1 0.0.0.0/0192.168.5.0/24 LOG flags 0 level 40 0 DROP 0 -- * eth1 0.0.0.0/0192.168.5.0/240 0 LOG 0 -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 40 0 DROP 0 -- * * 0.0.0.0/00.0.0.0/0

To confirm what i say, can you relaunch your firewall (to clear thecounts), launch a ping with laptop and after the "error", re-post theoutput of

iptables -t filter -L FORWARD -v -n
iptables -t nat -L POSTROUTING -v -n

You can also add these lines and re-try a ping :

/sbin/iptables -t filter -I FORWARD 1 -j LOG --log-prefix "Generalforward : " --log-tcp-sequence --log-tcp-options --log-ip-options/sbin/iptables -t filter -I FORWARD 3 -j LOG --log-prefix "Feedbackforward : " --log-tcp-sequence --log-tcp-options --log-ip-options

now you can delete them by relauching the firewall or do :
/sbin/iptables -t filter -D FORWARD 3
/sbin/iptables -t filter -D FORWARD 1

And see with dmesg what it gives you (i think only General and noFeedback if my assumptions are true)



That is a thing that annoy me :

Chain OUTPUT (policy DROP 1 packets, 92 bytes)
pkts bytes target prot opt in out sourcedestination22 10448 ACCEPT 0 -- * lo 0.0.0.0/00.0.0.0/00 0 ACCEPT 0 -- * eth2 0.0.0.0/0255.255.255.25535 1399 ACCEPT 0 -- * eth2 0.0.0.0/0192.168.5.0/241 107 ACCEPT !tcp -- * eth2 0.0.0.0/0224.0.0.0/40 0 LOG 0 -- * eth1 0.0.0.0/0192.168.5.0/24 LOG flags 0 level 40 0 DROP 0 -- * eth1 0.0.0.0/0192.168.5.0/240 0 ACCEPT 0 -- * eth1 0.0.0.0/0255.255.255.25589 9594 ACCEPT 0 -- * eth1 xx.xx.xx.2210.0.0.0/00 0 ACCEPT 0 -- * eth1 xx.xx.xx.2550.0.0.0/00 0 LOG 0 -- * * 0.0.0.0/00.0.0.0/0 LOG flags 0 level 40 0 DROP 0 -- * * 0.0.0.0/00.0.0.0/0

The last line of OUTPUT drops all connections but the default policyhave dropped one. That is not related to your problem, but it can be aiptables or kernel problem...


Can you post /sbin/iptables --version, uname -r ?

If I understand, when your gateway is used with VMware and not debian,your laptop can ping with no problem ?


Christophe

Reply to:

References:
- Re: NAT and IPTABLES problem
  - From: chindea mihai <misubs24@yahoo.com>

Prev by Date: Re: Fwd: P5K-VM v BFG NVidia 8800GT OC
Next by Date: Re: Fwd: P5K-VM v BFG NVidia 8800GT OC
Previous by thread: Re: NAT and IPTABLES problem
Next by thread: Re: NAT and IPTABLES problem
Index(es):
- Date
- Thread