iptables; still can't get out from DNAT'ed servers... help please?! :)
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Thu Feb 19 16:35:19 UTC 2004
Robert Brockway wrote:
> On Thu, 19 Feb 2004, Madison Kelly wrote:
>
>
>>Ah! I hate it when I do this...
>>
>>Ping isn't getting out or in but the Internet -is- working from the
>>servers now after all... So, if someone knows why the icmp packets
>>aren't getting through then by all means let me know but it is low
>>priority.
>
>
> A couple of thoughts:
>
> 1. Are you SNATing icmp out?
>
> 2. Is your firwall blocking icmp type 0 or 8?
>
> Rob
Hi Rob,
1. I would assume I am because the rule simply states:
-A POSTROUTING -s 192.168.1.12 -j SNAT --to-source 111.222.33.47
and
-A PREROUTING -d 111.222.33.47 -j DNAT --to-destination 192.168.1.12
These place no other restrictions so I would assume that ICMP are caught.
2. Inbound I DROP icmp 5 9 10 15 16 17 and 18 (same as the FW itself
and LAN which both can ping properly). I do have a limit on icmp message
8 to avoid ping floods but again, it is the same as the FW and LAN which
work.
Madison
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list