[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forward with the ipmasq package and Iptables

On Tuesday 29 April 2003 13:09, Tom Goulet (UID0) wrote:
> Okay, I'll stop requiring you to guess and reverse engineer Ipmasq and
> post my small Iptables script that still doesn't work.  The result is the
> same change from "Connection refused" to "Connection timed out" that I
> described earlier.

Ok, there is only one place in your firewall that traffic can get stopped like 
that, and that is if it falls off the end of the FORWARD chain and hits the 
default "DROP" policy - which would be consistent with the "connection timed 
out" messages you are seeing.

The first thing I would do is change the policy on the FORWARD chain to ALLOW 
and see if it suddenly starts working. If it does, it means that your rule in 
the FORWARD chain isn't matching the traffic correctly. This could be 
diagnosed with a tcpdump and see what the traffic actually looks like in 
kernel space.

I've attached a modified version of the firewall script. I didn't change much, 
except to explicitly define the internal network for the MASQ rule, and also 
to enable stateful firewalling correctly (it's my understanding that if you 
don't have rules matching a NEW state, then the entries are never entered 
into the state table and corresponding RELATED/ESTABLISHED rules won't work).

The important line to fiddle with will be :

iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp -d $EXTIP --dport 515 \
  -m state --state NEW -j ACCEPT

I think the problem with your original script is that the destination actually 
needs to be $EXTIP, not $PRINTERIP.

GPG: http://n12turbo.com/tarragon/public.key

Attachment: firewall
Description: application/shellscript

Reply to: