| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> $PF -A FORWARD -i eth0 -o eth2 -s $ANY -d $SRVMAIL -p tcp --dport 1024: --sport 25 -j ACCEPT
<0> this is my rules onweald_tim
<1> jsan1: Forgot about pastebin... ;-)
<1> Just a sec and I'll look it over.
<1> So messages weren't being delivered going out or coming back in?
<1> ^^^^ jsan1
<0> sorry my friend, iam very exosted
<0> iam nervous with my problem then i need a help my friends, this channel is very good for me
<0> help me please
<1> We'll try. I am learning myself. Helping others is a good way to learn for both of us. :-)
<1> jsan1: So messages weren't being delivered going out or coming back in?
<0> yes my friend but for me times over , my boos camy messages isnt going to the internet
<0> i receve messages but send no!
<0> understand ?
<1> si
<0> betwen my internal net and DMZ is good but when i try to send a message to d=the internet i dont have sucess
<0> but i receve messages when the people send me a email
<0> only send to the internet is impossible
<1> Can you give me a value for $ANY
<0> $any = 0.0.0.0
<0> any is all the internet, understand ?
<1> jsan1: iptables -t nat -A POSTROUTING -s $DMZ_SRVMAIL -p tcp --dport 25 -j SNAT --to $SRVMAIL
<1> Need a dport on POSTROUTING so that outbound destined for port 25 will be snat'd
<2> try making $ANY=0/0
<0> a moment please
<1> $ANY isn't really necessary though, right? jsan1 is filtering for any address... you don't need to do that.
<2> I'm pretty sure any ip address defaults to itself/32 which would mean 0.0.0.0 is looking for a real ip of 0.0.0.0
<2> correct, it's redundant.
<2> so you can just omit -s $ANY etc.
<1> its redundant
<1> :-)
<1> trappist: I am using xen. I wonder if that may be causing me a problem.
<2> don't know enough about xen to have an opinion on that
<0> onweald_tim , today inst a good day for me
<0> i dont have good results
<1> jsan1: Have you tried logging the outbound packets and responses?
<1> Speaking out loud here. Anyone jump in to tell me I'm wrong...
<1> Heck... brb
<1> Okay, here is the evidence.
<1> I can ping a public ip address from the other side of br-apps. So icmp packets are SNAT'd correctly.
<1> But if I try to ping a URL like www.microsoft****s.com, I don't get the ip address resolved.
<1> I an SNAT'ing udp port 53. I have confirmed that the response comes back from the DNS server. It is destined for my public IP address.
<1> I cannot log the response through iptables. I can only see it if I use tcpdump.
<1> So, something is screwing it up between it's arrival on eth0 and when the kernel would deliver the response to iptables.
<1> Another fact: If I turn tcpdump on for br-dmz then everything starts to work. Therefore, it has something to do with routing.
<1> I have gone so far as to specify that 10.1.0.32 (the source ip) routes through br-apps. This did not help.
<1> Is there a kernel configuration that controls routing?
<1> That is, is there one that might cause these symptoms?
<3> onweald_tim: Q: why are you SNAT'ing 53?
<1> udp 53 is used for DNS lookup
<3> correct
<3> but why are you SNAT'ing?
<1> br-apps is internal network. br-dmz has the public ip address. I have to snat the outbound request to the public ip address.
<3> why not just masquerade?
<1> My understanding was that masquerade was over kill for what I needed. Maxquerade is supposed to be used when you are not sure what your public ip address will be.
<3> not true
<1> Fill my head with knowledge oh Lazydog...
<1> Is there some guidance on when to use masquerade and when to use snat?
<1> <--- head still empty :-)
<3> with SNAT you are running the risk of making mistakes and breaking things. You have to add a line for everything you what to do (time consuming). With Masquerade everything is done for you, tracking and ensuing the correct ip address is asigned to the packet. Plus there is only one line needed in your rules
<3> s/ensuing/ensuring
<1> I haven't used that yet. I'll RTFM and check back in a sec...
<3> ok
<1> I'm desperate and will try anything!
<1> Even RTFM :-)
<3> i don't know your rules but i'm willing to bet if you use MASQ your problems might go away
<3> onweald_tim: i'm ging to read newsgroups now. if you want to talk to me again just type my nick and my system will inform me that someone is looking for me
<1> ko
<4> The "official" line on SNAT vs. MASQUERADE is to use SNAT for a static IP, MASQUERADE for dynamic. ("Static/dynamic" in real terms, whether or the IP's change; as opposed to the ISP's terminology. DHCP can be "static".)
<1> rob0: Yeah, that is what a read. maxquerade has a higher cpu overhead.
<1> Lazydog: This didn't work: iptables -t nat -I POSTROUTING -s 10.1.0.0/16 -o eth0 -j MASQUERADE
<3> iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
<1> I'll try that one...
<3> then look at your rules an ensure that it was taken
<3> iptables -L -v -n | less -SCi
Return to
#iptables
or
Go to some related
logs:
nosigal
hacking tconl
ubuntu apt-get not install php5
#gentoo
#python
#suse
installing lamp ubuntu Addtype
kubuntu deadkeys
#bash
automount partition ubuntu
|
|