iptables Problem
Janina Sajka
janina at rednote.net
Thu Sep 14 15:58:02 UTC 2006
Michal Jaegermann writes:
> On Wed, Sep 13, 2006 at 05:26:10PM -0400, Janina Sajka wrote:
> > For some reason the DNAT target isn't working in the following situation.
> >
> > iptables -t nat -A PRErOUTING -i eth0 -p udp --dport 5060 -j DNAT --to 172.16.32.48
> >
> > however
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT 172.16.32.48
> > works just fine.
> >
> > Any clue?
>
> My first guess would be that earlier you have a rule which does
> DROP or REJECT on packets to port 5060. I assume that "PRErOUTING"
> is a copying mistake. Right?
>
No, we flushed the ruleset in order to make certain we're isolating the
problem. Furthermore, iptables output suggests it's working, but it
doesn't actually work udp, though tcp works just as it should. Here's
additional output:
iptables -t nat -I PREROUTING -p udp -d 66.92.XXX.XXX/32 --dport 5060 -j DNAT --to-destination 172.23.203.213
iptables -t nat -A PREROUTING -p tcp -d 66.92.XXX.XXX/32 --dport 5060 -j DNAT --to 172.23.203.213
iptables -t nat -I POSTROUTING -s 172.23.203.213/32 -d 0.0.0.0/0 -j SNAT --to-source 66.92.XXX.XXX
iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- anywhere sonata.rednote.net udp dpt:sip to:172.23.203.213
DNAT tcp -- anywhere sonata.rednote.net tcp dpt:sip to:172.23.203.213
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.23.203.213 anywhere to:66.92.XXX.XXX
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And yet it doesn't actually nat the connection to 172.23.203.213:5060. Like I said before I can get port 80 with tcp just fine.
Janina and Frank
> Michal
>
> --
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe:
> https://www.redhat.com/mailman/listinfo/fedora-test-list
--
Janina Sajka Phone: +1.202.595.7777
Partner, Capital Accessibility LLC http://CapitalAccessibility.Com
Marketing the Owasys 22C talking screenless cell phone in the U.S. and Canada--Go to http://ScreenlessPhone.Com to learn more.
Chair, Accessibility Workgroup Free Standards Group (FSG)
janina at freestandards.org http://a11y.org
More information about the fedora-test-list
mailing list