Re: iptables problem
Thiago Ribeiro wrote:
I have any problems with DNAT iptables. I'm redirecting my external http
port to remote host. I have 8 networks, beginning with 192.168.1-8.
My remote machine and destination is 192.168.5.2 and all networks
excluding 192.168.5.0/24 can navigate in this.
When I'm running tcpdump or some similar to see the actions wich network
5's someone is making on external IP, is done nothing. Follow the rule:
-A PREROUTING -d 18.104.22.168 -p tcp -m tcp --dport 80 -j DNAT --to
I'm using network 7's address and the redirecting is perfect. Only
network 5 can't to do this.
It is possible the packets from 192.168.5.x are succesfully going to the
router, then succesfully being DNAT redirected to 192.168.5.2, but the
returning packets are getting mis directed.
I have seen this happen before, and what might be happening is that
192.168.5.2 sees the source IP address in the incoming packets of
192.168.5.x, and so sends packets directly back to that machine. This
means that the returning packet doesn't go back through the router, so
the DNAT translation cannot be 'undone'. In the end the 192.168.5.x
machine gets TCP packets from 192.168.5.2 when it was expecting them to
come back from 22.214.171.124. Hence the 192.168.5.x machine rejects
them, probably sending an ICMP packet back to 192.168.5.2 indicating an
error. Use of a packet sniffing program will tell you if this is occuring.