I'm trying to understand why I can't access a host from my NAT network. I thought my firewall must be blocking. I enabled logging of dropped packets but still didn't see what wasn't working.
So I disabled it and now have a very basic masquerading setup -- no dropping (shown below). NAT is working from my internal laptop: [EMAIL PROTECTED]:~$ ping debian.org PING debian.org (192.25.206.10): 56 data bytes 64 bytes from 192.25.206.10: icmp_seq=0 ttl=49 time=98.0 ms iptables is running on "mardy". The site doesn't respond to ping -- I assume they are blocking (I've tried from a number of other hosts, too): [EMAIL PROTECTED]:~$ ping www.pge.com PING www.pge.com (131.89.128.50): 56 data bytes Still, I can fetch their web page from host "mardy": [EMAIL PROTECTED]:~$ HEAD www.pge.com 200 OK Connection: close Date: Mon, 08 Sep 2003 16:02:11 GMT Server: Netscape-Enterprise/4.1 Content-Length: 0 Content-Type: text/html Client-Date: Mon, 08 Sep 2003 16:02:12 GMT Client-Response-Num: 1 But I cannot from the inside network: [EMAIL PROTECTED]:~$ HEAD www.pge.com 500 Can't connect to www.pge.com:80 (connect: timeout) Client-Date: Mon, 08 Sep 2003 16:06:16 GMT I assume that they are blocking some packets (because they seem to be blocking pings and traceroute) and also maybe blocking my NAT'ed packets. But I don't see how they would be able to tell NAT'ed packets from "laptop" any differently than from "mardy". I'm not very good at tcpdump, so I don't understand the difference in the flags I'm seeing: mardy:/etc# tcpdump host www.pge.com tcpdump: listening on eth0 Here's trying to connect from "laptop" inside the NAT: 09:14:43.972161 mardy.hank.org.32768 > can10.pge.com.domain: 7254 [1au] AAAA? www.pge.com. OPT UDPsize=2048 (40) (DF) 09:14:43.993925 can10.pge.com.domain > mardy.hank.org.32768: 7254* 0/1/1 (94) (DF) 09:14:52.369502 mardy.hank.org.1140 > www.pge.com.www: SWE 3476626643:3476626643(0) win 5840 <mss 1460,sackOK,timestamp 942432 0,nop,wscale 0> (DF) 09:14:55.365293 mardy.hank.org.1140 > www.pge.com.www: SWE 3476626643:3476626643(0) win 5840 <mss 1460,sackOK,timestamp 942732 0,nop,wscale 0> (DF) 09:15:01.365691 mardy.hank.org.1140 > www.pge.com.www: SWE 3476626643:3476626643(0) win 5840 <mss 1460,sackOK,timestamp 943332 0,nop,wscale 0> (DF) Here's connecting (successfully) from "mardy": 09:16:51.246177 mardy.hank.org.57886 > www.pge.com.www: S 1784081886:1784081886(0) win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 0> (DF) 09:16:51.264643 www.pge.com.www > mardy.hank.org.57886: S 3679981607:3679981607(0) ack 1784081887 win 9660 <nop,nop,sackOK,mss 1380> (DF) 09:16:51.264681 mardy.hank.org.57886 > www.pge.com.www: . ack 1 win 5840 (DF) 09:16:51.266057 mardy.hank.org.57886 > www.pge.com.www: P 1:88(87) ack 1 win 5840 (DF) 09:16:51.290761 www.pge.com.www > mardy.hank.org.57886: . ack 88 win 9660 (DF) 09:16:51.293569 www.pge.com.www > mardy.hank.org.57886: P 1:153(152) ack 88 win 9660 (DF) 09:16:51.293587 mardy.hank.org.57886 > www.pge.com.www: . ack 153 win 5840 (DF) 09:16:51.294467 www.pge.com.www > mardy.hank.org.57886: F 153:153(0) ack 88 win 9660 (DF) 09:16:51.304638 mardy.hank.org.57886 > www.pge.com.www: F 88:88(0) ack 154 win 5840 (DF) 09:16:51.320796 www.pge.com.www > mardy.hank.org.57886: . ack 89 win 9660 (DF) Here's the iptables setup I'm uisng during all of this: mardy:/etc# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination mardy:/etc# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
