samuelfreer@yahoo.com
14-10-2005, 06:19 PM
Hello
I have a server with two interfaces to it: one an ethernet card
(192.168.2.45) connected to a gateway (192.168.2.100), and another
interface, a TUN/TAP acting as a point to point interface between this
server and an application
192.168.2.56 (with the application end as 192.168.2.55).
I have an ssh tunnel open at 9000 in this server, which port forwards
to another server. the netstat for this is as shown:
tcp 0 0 127.0.0.1:9000 0.0.0.0:*
LISTEN
I need to connect to this port from the application connected through
TUNTAP. For this I try to connect to 192.168.2.46, port 9001 from this
application. The trouble is I am not able to connect to this.
What I was expecting is: when I try to connect over TCP to 192.168.2.46
port 9001 from the application at the tun/tap end of 192.168.2.55 is to
hit the prerouting table first and get DNATed to 127.0.0.1, port 9000.
This then would get routed to 127.0.0.1, port 9000. The routing table
entry is also shown below. I do a tcpdump on both lo & tun0. I see the
packets hitting the .46 from .55. But I don't see any activity on lo.
So obviously the packets are being dropped somewhere in between.
For the very same config, instead of DNATing to 127.0.0.1, I tried with
192.168.2.100. I do see the packets being DNATed properly and being
blocked by the firewall (config shown below).
I have the routing table in this server as follows:
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.2.55 192.168.2.56 255.255.255.255 UGH 40 0
0 tun0
192.168.2.55 0.0.0.0 255.255.255.255 UH 40 0
0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0
0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 40 0
0 lo
0.0.0.0 192.168.2.100 0.0.0.0 UG 40 0
0 eth0
And the filter table as follows:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.2.55 127.0.0.1 tcp
dpt:9000
ACCEPT tcp -- 192.168.2.100 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.2.100 0.0.0.0/0 tcp
dpt:3270
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1
ACCEPT udp -- 127.0.0.1 127.0.0.1
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.2.100 tcp spt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.2.100 tcp
spt:3270
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1
ACCEPT udp -- 127.0.0.1 127.0.0.1
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
And the NAT table as follows:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 192.168.2.46 tcp
dpt:9001 to:127.0.0.1:9000
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Thanks
Samuel
I have a server with two interfaces to it: one an ethernet card
(192.168.2.45) connected to a gateway (192.168.2.100), and another
interface, a TUN/TAP acting as a point to point interface between this
server and an application
192.168.2.56 (with the application end as 192.168.2.55).
I have an ssh tunnel open at 9000 in this server, which port forwards
to another server. the netstat for this is as shown:
tcp 0 0 127.0.0.1:9000 0.0.0.0:*
LISTEN
I need to connect to this port from the application connected through
TUNTAP. For this I try to connect to 192.168.2.46, port 9001 from this
application. The trouble is I am not able to connect to this.
What I was expecting is: when I try to connect over TCP to 192.168.2.46
port 9001 from the application at the tun/tap end of 192.168.2.55 is to
hit the prerouting table first and get DNATed to 127.0.0.1, port 9000.
This then would get routed to 127.0.0.1, port 9000. The routing table
entry is also shown below. I do a tcpdump on both lo & tun0. I see the
packets hitting the .46 from .55. But I don't see any activity on lo.
So obviously the packets are being dropped somewhere in between.
For the very same config, instead of DNATing to 127.0.0.1, I tried with
192.168.2.100. I do see the packets being DNATed properly and being
blocked by the firewall (config shown below).
I have the routing table in this server as follows:
Destination Gateway Genmask Flags MSS Window
irtt Iface
192.168.2.55 192.168.2.56 255.255.255.255 UGH 40 0
0 tun0
192.168.2.55 0.0.0.0 255.255.255.255 UH 40 0
0 tun0
192.168.2.0 0.0.0.0 255.255.255.0 U 40 0
0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 40 0
0 lo
0.0.0.0 192.168.2.100 0.0.0.0 UG 40 0
0 eth0
And the filter table as follows:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.2.55 127.0.0.1 tcp
dpt:9000
ACCEPT tcp -- 192.168.2.100 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 192.168.2.100 0.0.0.0/0 tcp
dpt:3270
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1
ACCEPT udp -- 127.0.0.1 127.0.0.1
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.2.100 tcp spt:22
ACCEPT tcp -- 0.0.0.0/0 192.168.2.100 tcp
spt:3270
ACCEPT tcp -- 127.0.0.1 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 127.0.0.1
ACCEPT udp -- 127.0.0.1 127.0.0.1
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
And the NAT table as follows:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 192.168.2.46 tcp
dpt:9001 to:127.0.0.1:9000
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Thanks
Samuel