DNAT: Neforwardovani tcp spojeni [trosku delsi]

Dal Horinek dallinux na centrum.cz
Sobota Prosinec 30 16:04:55 CET 2006 

Zdravim konferenci,

uz nekolik dni resim zvlastni problem s forwardovanim portu. Z nejakeho
duvodu, kdyz zkusim forwardovat tcp spojeni, tak nedojde. Nevim uz kde
hledat chybu, tak se obracim na vas.

Moje situace je takovato:

server
     eth0 85.207.88.24
     eth1 192.168.88.1

notebook1
     eth0 192.168.88.88

notebook2
     eth0 192.168.88.208

Na serveru je nat a chci forwardovat port 5900 na notebook2, tedy vnc,
coz je tcp.
Pokud na notebook2 pustim:

netcat -l -p 5900

a z notebook1 se na nej pripojim pres netcat server 5900 (ted by melo
probihat forwardovani)
tak zadna data netecou, pritom pokud dam v iptables misto destination
DNAT, ale LOG, v logu se objevi, takze je to matchnute.

Prime spojeni, tedy pres netcat notebook2 5900 z notebook1 to funguje fajn.

Jestlize vyzkousim UDP spojeni, tak to i s forwardovanim projde take.
Krome toho, funguje to jen v pripade, ze se nesnazim pripojit z
pocitace, kde to bezi a nebo serveru, v tech pripadech to nefunguje take.

Zkousel jsem i tcpdump, ktery nejak tok dat ukazuje, ale tim to asi tak
konci.

Takze nastaveni na serveru:

jadro:
2.6.19.1 (zkouseno i na 2.6.19)
(config jadra v priloze)

iptables:
*filter
:INPUT DROP [5159:435760]
:FORWARD ACCEPT [555346:267151164]
:OUTPUT ACCEPT [70023:54171609]
-A INPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
-A INPUT -s 192.168.88.0/255.255.255.0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent
--set --name DEFAULT --rsource
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent
--update --seconds 60 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 835 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 836 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Sat Dec 30 15:49:07 2006
# Generated by iptables-save v1.2.11 on Sat Dec 30 15:49:07 2006
*nat
:PREROUTING ACCEPT [11430:759167]
:POSTROUTING ACCEPT [1524:151341]
:OUTPUT ACCEPT [1303:110892]
-A PREROUTING -p udp -m udp --dport 13896 -j DNAT --to-destination
192.168.88.88
-A PREROUTING -p tcp -m tcp --dport 13896 -j DNAT --to-destination
192.168.88.88
-A PREROUTING -p tcp -m tcp --dport 5900 -j DNAT --to-destination
192.168.88.208
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


route:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
85.207.88.16    0.0.0.0         255.255.255.240 U     0      0        0 eth0
192.168.88.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         85.207.88.17    0.0.0.0         UG    0      0        0 eth0

ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:50:04:69:6B:0C
           inet addr:85.207.88.24  Bcast:85.207.88.31  Mask:255.255.255.240
           inet6 addr: fe80::250:4ff:fe69:6b0c/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:366682 errors:0 dropped:0 overruns:0 frame:0
           TX packets:286573 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:224061096 (213.6 MiB)  TX bytes:64105452 (61.1 MiB)
           Interrupt:11 Base address:0xcf80

eth1      Link encap:Ethernet  HWaddr 00:0E:2E:36:9B:2A
           inet addr:192.168.88.1  Bcast:192.168.88.255  Mask:255.255.255.0
           inet6 addr: fe80::20e:2eff:fe36:9b2a/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:289118 errors:0 dropped:0 overruns:0 frame:0
           TX packets:341323 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:63359453 (60.4 MiB)  TX bytes:270660342 (258.1 MiB)
           Interrupt:12 Base address:0xc400

Na obou notebookach je vsechno ACCEPT.

Pozn:
Jestlize jsem zkusil udelat z notebook1 nat a forwardovat pres nej, vse
fungovalo ok, ale vazne nevim, kde problem je, protoze co se tyce
iptables, problem by tam nemel byt.

Pokud by nekdo vedel, kde by mohl byt problem, pripadne jakym zpusobem
ho nejlepe najit, budu velmi rad za kazdou pomoc.

                   S pozdravem
                                         Dalibor Horinek


-- 
== www.horinek.net ==
Dalibor Horinek
ICQ: 178217372


------------- další část ---------------
A non-text attachment was scrubbed...
Name: 2.6.19.1-config.bz2
Type: application/x-bzip
Size: 9954 bytes
Desc: [žádný popis není k dispozici]
URL: <http://www.linux.cz/pipermail/linux/attachments/20061230/1677995d/attachment.bin>

Další informace o konferenci Linux