Re: problems with port forwarding

To:	netfilter@lists.netfilter.org
Subject:	Re: problems with port forwarding
From:	"Andres Baravalle" <andres.baravalle@gmail.com>
Date:	Fri, 23 Feb 2007 18:19:28 +0000
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=I1qHpZz+bBhWQjwXou2yPHxZ9U1yLcRTertARxNmeYNVjmJzpW7biUylLr7p+40Tv4hl/GtI7cz0P/TnMaxNikb1PD2X4ZtHIoNBUPu+EW/trC8PC+BaXYr70M102eMUHDXGvya0wZbkaTGttqVrD4KdfmzDTTk13WbA0wAydNg=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uWMHPDh82XEz/CAEnTsAXtpdCM8s6bGF8Z1pe/xp0yI+Pblgh5LQwaldQXU0v+TtkajpdPIIMjKR7HVmHZcAyyHK4/VvHr193CjH+NaHEiV1bnO77WPeB7HfOoZpU6rDo6G6ovuHN6j9dvlurlDMqq5myZtQPjvIhFlV7Dfc868=
In-reply-to:	<45992f580702230807p39f8fcacr914ef910270ae2ba@mail.gmail.com>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<45992f580702230807p39f8fcacr914ef910270ae2ba@mail.gmail.com>
Sender:	netfilter-bounces@lists.netfilter.org

2007/2/23, Andres Baravalle <andres.baravalle@gmail.com>:

iptables -L FORWARD

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            tcp
flags:!SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     tcp  --  anywhere             SERVER_B    tcp dpt:10022
ACCEPT     all  --  anywhere             anywhere
LOG        tcp  --  anywhere             SERVER_B    LOG level warning

If I connect from server A to localhost, port 10022, it works. If I
connect from any other machine to server A, port 10022, it doesn't.


Apparently the problem is in the FORWARD chain.

If I set the default policy to ACCEPT, it will work:

iptables -L FORWARD

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             SERVER_B      tcp dpt:10022
REJECT     tcp  --  anywhere             anywhere            tcp
flags:!SYN,RST,ACK/SYN reject-with tcp-reset
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere

But I don't feel too comfortable having ACCEPT has default value. Any
suggestions?

  Andres

<Prev in Thread]	Current Thread	[Next in Thread>
problems with port forwarding, Andres Baravalle Re: problems with port forwarding, Andres Baravalle <= Re: problems with port forwarding, Elvir Kuric Re: problems with port forwarding, Silvio Fonseca

Previous by Date:	problems with port forwarding, Andres Baravalle
Next by Date:	Re: problems with port forwarding, Elvir Kuric
Previous by Thread:	problems with port forwarding, Andres Baravalle
Next by Thread:	Re: problems with port forwarding, Elvir Kuric
Indexes:	[Date] [Thread] [Top] [All Lists]