Re: port forward with the ipmasq package and Iptables
On Wednesday 30 April 2003 02:42, Tom Goulet (UID0) wrote:
> > Ok, if it looks like all the rules are ok (and it does) and it's not
> > working even with the FORWARD chain set to ACCEPT, then now's about when
> > I'd pull out tcpdump and see what is actually happening to the traffic.
> I'll use Iptraf because I don't know how to use Tcpdump.
On the firewall box, something like :
tcpdump -n -i $EXT_INTERFACE port 515
should be all you need. Take a look at the source and destinations, look for
the SYN/SYN-ACK/ACK process ...
Then do the same on your $INT_INTERFACE and compare.
> > How are you testing the configuration?
> I telnet to the computer's internet IP address on port 515. If my
> connection is refused the forward is not in place. Most or all of the
> time I have rules relating to the forward my connection will time out.
Ok, and you are doing this from an internal machine? This could be the problem
- you connect to your firewall's external IP with an internal address, the
firewall translates this to another machine internally (the printer), then
the printer tries to talk directly back to your machine on the *internal
address*. This is important, because the printer and your machine are talking
directly at this point, *except* that your machine is expecting responses
from the firewall's IP, not directly from the printer.
You should really be testing with a machine that's outside the network.
[Reads further down]
> I figured it out! The printer's response is leaving by a different
> internet IP address.
> Thanks, guys!
Ok, looks like you sorted it out? :)