Re: port forward with the ipmasq package and Iptables
> Ok, if it looks like all the rules are ok (and it does) and it's not working
> even with the FORWARD chain set to ACCEPT, then now's about when I'd pull out
> tcpdump and see what is actually happening to the traffic.
I'll use Iptraf because I don't know how to use Tcpdump.
> How are you testing the configuration?
I telnet to the computer's internet IP address on port 515. If my
connection is refused the forward is not in place. Most or all of the
time I have rules relating to the forward my connection will time out.
> Are you sure the printer is actually responding on that port in the first
> place?
Yep.
root@red-sector:~# telnet 192.168.10.10 515
Trying 192.168.10.10...
Connected to 192.168.10.10.
Escape character is '^]'.
Connection closed by foreign host.
root@red-sector:~#
> Another thing to keep in mind is that the printer needs to have it's
> connection back out masqueraded as well; this is usually done by the standard
> NAT routine, but if you don't have that then the printer will be trying to
> talk to the originating machine with it's private IP, which won't work. A
> tcpdump on the firewall box should give you some clues as to where it's
> breaking down.
... Okay!
64.110.205.174:60950 = 2 100 RESET eth0
192.168.10.10:515 = 1 40 S-A- eth0
The printer gets the SYN packet, attempts to reply, but its connection
is reset, and the reply never gets back to me.
No packets ever leave with the external IP address.
What does that mean?
This doesn't happen with Tarragon's original script, but it does happen
with Richard's, and my IP Masquerading Howto script.
I figured it out! The printer's response is leaving by a different
internet IP address.
Thanks, guys!
--
Tom Goulet mail: uid0@em.ca
UID0 Unix Consulting web: em.ca/uid0/
Reply to: