[DNAT] Disappearing Packets

[DNAT] Disappearing Packets

[Thomas Wallrafen]

Hi all!

Sorry for asking this stupid question again, but searching the archives
couldn't help me solve my problem :(

I'm currently setting up an IPtables firewall using DNAT to access our
Webserver (192.168.0.42) and Masquerading to allow Internet access to
the clients.

Packets to the firewall (137.226.171.XXX) on port 80 can pass the FORWARD-chain:
(already DNATed...)
Oct 10 11:47:24 wormhole kernel: IN=eth0 OUT=eth1 SRC=170.252.80.XXX
DST=192.168.0.42 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=39702 DF PROTO=TCP
SPT=48785 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

The packets then get lost somehow. I can't trace back to where it is,
but the packets never reach the webserver on 192.168.0.42:80
With the webserver-logs I can confirm this.

My IPtables setup currently is very minimal due to the current
testing-status (only one Masquerading and one DNAT rule).

All chains are set up to ACCEPT all packets, as long as I haven't found
a solution to this problem.

We're using IPtables 1.2.6a with an unpatched Kernel 2.4.22.

Has anyone a suggestion how to solve this?

Kind regards,

    Thomas Wallrafen


-- 
    __  _     Debian GNU/      _
   / / (_)_ __  _  ____  ___  | |
  / /  | | '_ \| | | \ \ / /  | |
 / /___| | | | | |_| |>   <   |_|
 \_______|_| |_|\__,_/_/\__\  (_)

Amendment: [DNAT] Disappearing Packets

[Thomas Wallrafen]

Thus spoke Thomas Wallrafen:
> Hi all!
> 
> Sorry for asking this stupid question again, but searching the archives
> couldn't help me solve my problem :(
> 
> I'm currently setting up an IPtables firewall using DNAT to access our
> Webserver (192.168.0.42) and Masquerading to allow Internet access to
> the clients.
> 
> Packets to the firewall (137.226.171.XXX) on port 80 can pass the FORWARD-chain:
> (already DNATed...)
> Oct 10 11:47:24 wormhole kernel: IN=eth0 OUT=eth1 SRC=170.252.80.XXX
> DST=192.168.0.42 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=39702 DF PROTO=TCP
> SPT=48785 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> 
> The packets then get lost somehow. I can't trace back to where it is,
> but the packets never reach the webserver on 192.168.0.42:80
> With the webserver-logs I can confirm this.
> 
> My IPtables setup currently is very minimal due to the current
> testing-status (only one Masquerading and one DNAT rule).
> 
> All chains are set up to ACCEPT all packets, as long as I haven't found
> a solution to this problem.
> 
> We're using IPtables 1.2.6a with an unpatched Kernel 2.4.22.
> 
> Has anyone a suggestion how to solve this?
> 
Amendment: Kernel-Forwarding via /proc is enabled

Thomas


-- 
    __  _     Debian GNU/      _
   / / (_)_ __  _  ____  ___  | |
  / /  | | '_ \| | | \ \ / /  | |
 / /___| | | | | |_| |>   <   |_|
 \_______|_| |_|\__,_/_/\__\  (_)

Re: [DNAT] Disappearing Packets

[Ralf Spenneberg]

Hi Thomas,

Am Fre, 2003-10-10 um 10.52 schrieb Thomas Wallrafen:
> I'm currently setting up an IPtables firewall using DNAT to access our
> Webserver (192.168.0.42) and Masquerading to allow Internet access to
> the clients.
> 
> Packets to the firewall (137.226.171.XXX) on port 80 can pass the FORWARD-chain:
> (already DNATed...)
> Oct 10 11:47:24 wormhole kernel: IN=eth0 OUT=eth1 SRC=170.252.80.XXX
> DST=192.168.0.42 LEN=64 TOS=0x00 PREC=0x00 TTL=47 ID=39702 DF PROTO=TCP
> SPT=48785 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

Are you sure the packets get lost? What happens when you run tcpdump on
the internal interface of the firewall?
Can you run tcpdump on the webserver?
Does the webserver have a default gateway set pointing to the firewall?
Can you post your rules?
Does the internet access for the clients work?

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org