[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables problem

Thiago Ribeiro wrote:

I have any problems with DNAT iptables. I'm redirecting my external http
port to remote host. I have 8 networks, beginning with 192.168.1-8. My remote machine and destination is and all networks
excluding can navigate in this.
When I'm running tcpdump or some similar to see the actions wich network
5's someone is making on external IP, is done nothing. Follow the rule:

-A PREROUTING -d -p tcp -m tcp --dport 80 -j DNAT --to

I'm using network 7's address and the redirecting is perfect. Only
network 5 can't to do this.

It is possible the packets from 192.168.5.x are succesfully going to the router, then succesfully being DNAT redirected to, but the returning packets are getting mis directed. I have seen this happen before, and what might be happening is that sees the source IP address in the incoming packets of 192.168.5.x, and so sends packets directly back to that machine. This means that the returning packet doesn't go back through the router, so the DNAT translation cannot be 'undone'. In the end the 192.168.5.x machine gets TCP packets from when it was expecting them to come back from Hence the 192.168.5.x machine rejects them, probably sending an ICMP packet back to indicating an error. Use of a packet sniffing program will tell you if this is occuring.

  Geoff Crompton

Reply to: