Re: port forward with the ipmasq package and Iptables

To: "Tom Goulet (UID0)" <uid0@em.ca>, debian-firewall@lists.debian.org
Subject: Re: port forward with the ipmasq package and Iptables
From: Tarragon Allen <melange@n12turbo.com>
Date: Tue, 29 Apr 2003 16:50:27 +1000
Message-id: <[🔎] 200304291650.27865.melange@n12turbo.com>
In-reply-to: <[🔎] 20030429055115.GV1175@nova.vor.em.ca>
References: <[🔎] 20030428234028.GP1175@nova.vor.em.ca> <[🔎] 200304291407.12284.melange@n12turbo.com> <[🔎] 20030429055115.GV1175@nova.vor.em.ca>

On Tuesday 29 April 2003 15:51, Tom Goulet (UID0) wrote:
> > The first thing I would do is change the policy on the FORWARD chain to
> > ALLOW and see if it suddenly starts working. If it does, it means that
> > your rule in the FORWARD chain isn't matching the traffic correctly.
> > I've attached a modified version of the firewall script.
>
> Unfortunately this has the same timing-out problem, with or without
> "ACCEPT" instead of "DROP".
>
> > The important line to fiddle with will be :
> > iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp -d $EXTIP --dport 515 \
> >   -m state --state NEW -j ACCEPT
>
> Hmm.
>
> > I think the problem with your original script is that the destination
> > actually needs to be $EXTIP, not $PRINTERIP.
>
> Ahh, I did get that wrong.  Hmm.
>
> Hmm.
>
> I'm probably going to switch to Linux 2.2 and use that infernal
> impasqadm program.  If I can't get Iptables to forward a port with a
> simple Iptables script and the instructions from the IP Masquerading
> Howto and the input of someone else who seems to know what he's talking
> about, I'm not going to get Iptables to work.  This is where I mentally
> file away the problem into the (very large) bin marked "Computers Suck".

Ok, if it looks like all the rules are ok (and it does) and it's not working 
even with the FORWARD chain set to ACCEPT, then now's about when I'd pull out 
tcpdump and see what is actually happening to the traffic.

How are you testing the configuration?

Are you sure the printer is actually responding on that port in the first 
place?

Another thing to keep in mind is that the printer needs to have it's 
connection back out masqueraded as well; this is usually done by the standard 
NAT routine, but if you don't have that then the printer will be trying to 
talk to the originating machine with it's private IP, which won't work. A 
tcpdump on the firewall box should give you some clues as to where it's 
breaking down.

I've personally sat looking at what should be a simple firewall like that for 
hours swearing at it and wondering why it didn't work, only to realise I'd 
gotten the -i and -o options around the wrong way. Happens to the best of us. 
:)

You could try just removing those -i and -o lines for now, they aren't 
entirely neccessary, except maybe on the DNAT line. Try the Occam's Razor 
approach ; simplify everything down to base components until it works, then 
build up again until it breaks, that way you'll know what you've done wrong.

Another thing that occurs to me ; are the NAT kernel modules loaded? iptables 
should be erroring if they aren't though ..

t
-- 
GPG: http://n12turbo.com/tarragon/public.key

Reply to:

Follow-Ups:
- Re: port forward with the ipmasq package and Iptables
  - From: "Tom Goulet (UID0)" <uid0@em.ca>

References:
- port forward with the ipmasq package and Iptables
  - From: "Tom Goulet (UID0)" <uid0@em.ca>
- Re: port forward with the ipmasq package and Iptables
  - From: Tarragon Allen <melange@n12turbo.com>
- Re: port forward with the ipmasq package and Iptables
  - From: "Tom Goulet (UID0)" <uid0@em.ca>

Prev by Date: Re: port forward with the ipmasq package and Iptables
Next by Date: Re: port forward with the ipmasq package and Iptables
Previous by thread: Re: port forward with the ipmasq package and Iptables
Next by thread: Re: port forward with the ipmasq package and Iptables
Index(es):
- Date
- Thread