Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   iptables fubared? (http://www.linux-archive.org/fedora-user/709705-iptables-fubared.html)

Mark Space 10-04-2012 07:45 PM

iptables fubared?
 
Hi all, I'm having a bit of trouble setting up a new web server. The
last time I set up up it went smoothly, but for some reason I can't
connect to the HTTP port on this one.



Any clues what I'm missing?



I can:



1. SSH into my server from an external workstation.

2. Ping my server by DNS name from an external workstation.

3. I can load the default web page when I'm SSH'd in, this works
fine:

$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: ‚index.html.1‚
*
100%[======================================>] 2,432 --.-K/s in 0s
*
2012-10-04 17:44:35 (183 MB/s) - ‚index.html.1‚



However, I cannot connect via HTTP externally, even using the* IP
address:



4. Unable to connect Firefox can't establish a connection to the
server at 54.243.205.88.



I'm not sure where I could have fubared this. I did try to redirect
the ports from 80 to 8080, perhaps that was done incorrectly?



[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
*
Chain FORWARD (policy ACCEPT)
target prot opt source destination
*
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
pkts bytes target prot opt in out source destination
150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
*
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
pkts bytes target prot opt in out source destination
*
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
*
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
pkts bytes target prot opt in out source destination





I thought this should be exactly the same as the last time I did it,
so I don't know why it wouldn't work.

Here's the script I used to set up the iptables:



iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j* REDIRECT
--to-ports 8080

/etc/init.d/iptables save

/etc/init.d/iptables restart





I'm completely at a loss how to troubleshoot this further, any
advice is much appreciated.







--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Jack Craig 10-04-2012 08:15 PM

iptables fubared?
 
On Thu, Oct 4, 2012 at 12:45 PM, Mark Space <markspace@live.com> wrote:







Hi all, I'm having a bit of trouble setting up a new web server. The
last time I set up up it went smoothly, but for some reason I can't
connect to the HTTP port on this one.



Any clues what I'm missing?



I can:



1. SSH into my server from an external workstation.

2. Ping my server by DNS name from an external workstation.

3. I can load the default web page when I'm SSH'd in, this works
fine:

$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: ‚index.html.1‚
*
100%[======================================>] 2,432 --.-K/s in 0s
*
2012-10-04 17:44:35 (183 MB/s) - ‚index.html.1‚



However, I cannot connect via HTTP externally, even using the* IP
address:



4. Unable to connect Firefox can't establish a connection to the
server at 54.243.205.88.


I'm not sure where I could have fubared this. I did try to redirect
the ports from 80 to 8080,
perhaps that was done incorrectly?

is it just me, or does 88 = 80 or 8080 ??

or C&P err?
*


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

NOSpaze 10-04-2012 08:38 PM

iptables fubared?
 
On Thu, 2012-10-04 at 12:45 -0700, Mark Space wrote:
> Hi all, I'm having a bit of trouble setting up a new web server. The
> last time I set up up it went smoothly, but for some reason I can't
> connect to the HTTP port on this one.
> Any clues what I'm missing?

You are trying to solve a problem with many variables simultaneously (I
can't even understand the purpose of your iptables rules).

Try solving one problem at the time. First: routing. If you can ping
effectively from the outside, routing is ok. Second: tcp ports. Check if
you can find the opened ports. Try debugging the problem with tcpdump.
nmap can help you check for opened ports.
--
NOSpaze <nospaze@gmail.com>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Mark Space 10-04-2012 10:00 PM

iptables fubared?
 
I tried this with tcpdump running on the server. It surprised me when I
saw tcpdump respond. Firefox still says "cannot connect" from an
external workstation, but my server is seeing something at least.


I won't bore you with all of it, but here's the first bit:

$ sudo tcpdump -i eth0 -n "port 80"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:54:16.482166 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags [S],
seq 2014763367, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
21:54:16.482251 IP 10.211.163.215.http > 99.92.208.198.52890: Flags
[R.], seq 0, ack 2014763368, win 0, length 0
21:54:16.731133 IP 99.92.208.198.52891 > 10.211.163.215.http: Flags [S],
seq 1148493083, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
21:54:16.731183 IP 10.211.163.215.http > 99.92.208.198.52891: Flags
[R.], seq 0, ack 1148493084, win 0, length 0
21:54:17.080885 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags [S],
seq 2014763367, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0

....{{ sinpage }}....
^C
36 packets captured
36 packets received by filter
0 packets dropped by kernel

The server appears to be trying to give a response. (99.92.208.198 is my
workstation external IP address). It's like FF can't get the response.
Hmm.




On 10/4/2012 1:38 PM, NOSpaze wrote:

On Thu, 2012-10-04 at 12:45 -0700, Mark Space wrote:

Hi all, I'm having a bit of trouble setting up a new web server. The
last time I set up up it went smoothly, but for some reason I can't
connect to the HTTP port on this one.
Any clues what I'm missing?

You are trying to solve a problem with many variables simultaneously (I
can't even understand the purpose of your iptables rules).

Try solving one problem at the time. First: routing. If you can ping
effectively from the outside, routing is ok. Second: tcp ports. Check if
you can find the opened ports. Try debugging the problem with tcpdump.
nmap can help you check for opened ports.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Bill Shirley 10-04-2012 11:52 PM

iptables fubared?
 
Check your listen statement in* /etc/httpd/conf/httpd.conf.* It
should be:

Listen 8080



If that is correct, run tcpdump (ctrl+c to quit) and then try
externally connecting :

tcpdump -n -i eth0 port 80 or port 8080



If you get traffic on port 8080 then you have an iptables problem.



Bill





On 10/4/2012 3:45 PM, Mark Space wrote:




Hi all, I'm having a bit of trouble setting up a new web server.
The last time I set up up it went smoothly, but for some reason I
can't connect to the HTTP port on this one.



Any clues what I'm missing?



I can:



1. SSH into my server from an external workstation.

2. Ping my server by DNS name from an external workstation.

3. I can load the default web page when I'm SSH'd in, this works
fine:

$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: ‚index.html.1‚
*
100%[======================================>] 2,432 --.-K/s in 0s
*
2012-10-04 17:44:35 (183 MB/s) - ‚index.html.1‚



However, I cannot connect via HTTP externally, even using the* IP
address:



4. Unable to connect Firefox can't establish a connection to the
server at 54.243.205.88.



I'm not sure where I could have fubared this. I did try to
redirect the ports from 80 to 8080, perhaps that was done
incorrectly?



[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
*
Chain FORWARD (policy ACCEPT)
target prot opt source destination
*
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
pkts bytes target prot opt in out source destination
150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
*
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
pkts bytes target prot opt in out source destination
*
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
*
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
pkts bytes target prot opt in out source destination





I thought this should be exactly the same as the last time I did
it, so I don't know why it wouldn't work.

Here's the script I used to set up the iptables:



iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j*
REDIRECT --to-ports 8080

/etc/init.d/iptables save

/etc/init.d/iptables restart





I'm completely at a loss how to troubleshoot this further, any
advice is much appreciated.















--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Mark Space 10-05-2012 01:36 AM

iptables fubared?
 
I don't understand this comment:



"If you get traffic on port 8080 then you have an iptables
problem."



Wouldn't it be the opposite?* If I DON'T have traffic on port
8080, I have problems with iptables.* But maybe I misunderstand
how iptables or tcpdump work.







On 10/4/2012 4:52 PM, Bill Shirley wrote:




Check your listen statement in* /etc/httpd/conf/httpd.conf.* It
should be:

Listen 8080



If that is correct, run tcpdump (ctrl+c to quit) and then try
externally connecting :

tcpdump -n -i eth0 port 80 or port 8080



If you get traffic on port 8080 then you have an iptables problem.



Bill





On 10/4/2012 3:45 PM, Mark Space
wrote:




Hi all, I'm having a bit of trouble setting up a new web server.
The last time I set up up it went smoothly, but for some reason
I can't connect to the HTTP port on this one.



Any clues what I'm missing?



I can:



1. SSH into my server from an external workstation.

2. Ping my server by DNS name from an external workstation.

3. I can load the default web page when I'm SSH'd in, this works
fine:

$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: ‚index.html.1‚
*
100%[======================================>] 2,432 --.-K/s in 0s
*
2012-10-04 17:44:35 (183 MB/s) - ‚index.html.1‚



However, I cannot connect via HTTP externally, even using the*
IP address:



4. Unable to connect Firefox can't establish a connection to the
server at 54.243.205.88.



I'm not sure where I could have fubared this. I did try to
redirect the ports from 80 to 8080, perhaps that was done
incorrectly?



[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
*
Chain FORWARD (policy ACCEPT)
target prot opt source destination
*
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
pkts bytes target prot opt in out source destination
150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
*
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
pkts bytes target prot opt in out source destination
*
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
*
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
pkts bytes target prot opt in out source destination





I thought this should be exactly the same as the last time I did
it, so I don't know why it wouldn't work.

Here's the script I used to set up the iptables:



iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j*
REDIRECT --to-ports 8080

/etc/init.d/iptables save

/etc/init.d/iptables restart





I'm completely at a loss how to troubleshoot this further, any
advice is much appreciated.























--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

NOSpaze 10-05-2012 06:27 AM

iptables fubared?
 
On Thu, 2012-10-04 at 15:00 -0700, Mark Space wrote:
> I tried this with tcpdump running on the server. It surprised me when I
> saw tcpdump respond. Firefox still says "cannot connect" from an
> external workstation, but my server is seeing something at least.
>
> I won't bore you with all of it, but here's the first bit:
>
> $ sudo tcpdump -i eth0 -n "port 80"
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 21:54:16.482166 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags [S],
> seq 2014763367, win 8192, options [mss 1460,nop,wscale
> 2,nop,nop,sackOK], length 0
> 21:54:16.482251 IP 10.211.163.215.http > 99.92.208.198.52890: Flags
> [R.], seq 0, ack 2014763368, win 0, length 0
> 21:54:16.731133 IP 99.92.208.198.52891 > 10.211.163.215.http: Flags [S],
> seq 1148493083, win 8192, options [mss 1460,nop,wscale
> 2,nop,nop,sackOK], length 0
> 21:54:16.731183 IP 10.211.163.215.http > 99.92.208.198.52891: Flags
> [R.], seq 0, ack 1148493084, win 0, length 0
> 21:54:17.080885 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags [S],
> seq 2014763367, win 8192, options [mss 1460,nop,wscale
> 2,nop,nop,sackOK], length 0
> ....{{ sinpage }}....
> ^C
> 36 packets captured
> 36 packets received by filter
> 0 packets dropped by kernel
>
> The server appears to be trying to give a response. (99.92.208.198 is my
> workstation external IP address). It's like FF can't get the response.
> Hmm.

Ok. Did you check you can ping? First, routing, second, transport (ISO
layers 3, then 4, then 5, then 6, then 7).

Instead of firefox, use telnet (from windows or linux), this way:

telnet my.ip.addr.ess 80

then write

GET /
(press ENTER TWICE)

You should see html code.

:)

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Mark Space 10-05-2012 07:18 AM

iptables fubared?
 
On 10/4/2012 11:27 PM, NOSpaze wrote:

On Thu, 2012-10-04 at 15:00 -0700, Mark Space wrote:

I tried this with tcpdump running on the server. It surprised me when I
saw tcpdump respond. Firefox still says "cannot connect" from an
external workstation, but my server is seeing something at least.

I won't bore you with all of it, but here's the first bit:

$ sudo tcpdump -i eth0 -n "port 80"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:54:16.482166 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags [S],
seq 2014763367, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
21:54:16.482251 IP 10.211.163.215.http > 99.92.208.198.52890: Flags
[R.], seq 0, ack 2014763368, win 0, length 0
21:54:16.731133 IP 99.92.208.198.52891 > 10.211.163.215.http: Flags [S],
seq 1148493083, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
21:54:16.731183 IP 10.211.163.215.http > 99.92.208.198.52891: Flags
[R.], seq 0, ack 1148493084, win 0, length 0
21:54:17.080885 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags [S],
seq 2014763367, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
....{{ sinpage }}....
^C
36 packets captured
36 packets received by filter
0 packets dropped by kernel

The server appears to be trying to give a response. (99.92.208.198 is my
workstation external IP address). It's like FF can't get the response.
Hmm.

Ok. Did you check you can ping?


I answered this in my *first* post.


First, routing, second, transport (ISO
layers 3, then 4, then 5, then 6, then 7).

Instead of firefox, use telnet (from windows or linux), this way:

telnet my.ip.addr.ess 80

then write

GET /
(press ENTER TWICE)

You should see html code.




Nope, no HTML, or anything else. Connection reset. I can still SSH
into the box, in case you didn't read that in my OP either.


So SSH, all layers up through 7 are fine.

port 80 = reset.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Bill Shirley 10-05-2012 08:00 AM

iptables fubared?
 
Maybe I didn't understand correctly.* You're wanting to redirect
traffic received on eth0 port 80 to port 8080.* Is this correct?

"iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j*
REDIRECT --to-ports 8080"



If so, then you wouldn't expect to see any traffic on eth0 port 8080
(neither coming or going), right?



Bill





On 10/4/2012 9:36 PM, Mark Space wrote:




I don't understand this comment:



"If you get traffic on port 8080 then you have an iptables
problem."



Wouldn't it be the opposite?* If I DON'T have traffic on port
8080, I have problems with iptables.* But maybe I misunderstand
how iptables or tcpdump work.







On 10/4/2012 4:52 PM, Bill Shirley wrote:




Check your listen statement in* /etc/httpd/conf/httpd.conf.* It
should be:

Listen 8080



If that is correct, run tcpdump (ctrl+c to quit) and then try
externally connecting :

tcpdump -n -i eth0 port 80 or port 8080



If you get traffic on port 8080 then you have an iptables
problem.



Bill





On 10/4/2012 3:45 PM, Mark Space
wrote:




Hi all, I'm having a bit of trouble setting up a new web
server. The last time I set up up it went smoothly, but for
some reason I can't connect to the HTTP port on this one.



Any clues what I'm missing?



I can:



1. SSH into my server from an external workstation.

2. Ping my server by DNS name from an external workstation.

3. I can load the default web page when I'm SSH'd in, this
works fine:

$ wget localhost
--2012-10-04 17:44:35-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2432 (2.4K) [text/html]
Saving to: ‚index.html.1‚
*
100%[======================================>] 2,432 --.-K/s in 0s
*
2012-10-04 17:44:35 (183 MB/s) - ‚index.html.1‚



However, I cannot connect via HTTP externally, even using the*
IP address:



4. Unable to connect Firefox can't establish a connection to
the server at 54.243.205.88.



I'm not sure where I could have fubared this. I did try to
redirect the ports from 80 to 8080, perhaps that was done
incorrectly?



[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
*
Chain FORWARD (policy ACCEPT)
target prot opt source destination
*
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[ec2-user@domU-12-31-39-0A-A0-29 ~]$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 21 packets, 1608 bytes)
pkts bytes target prot opt in out source destination
150 7600 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
*
Chain INPUT (policy ACCEPT 171 packets, 9208 bytes)
pkts bytes target prot opt in out source destination
*
Chain OUTPUT (policy ACCEPT 45 packets, 3625 bytes)
pkts bytes target prot opt in out source destination
2 120 REDIRECT tcp -- * * 0.0.0.0/0 127.0.0.1 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 10.211.163.215 tcp dpt:80 redir ports 8080
*
Chain POSTROUTING (policy ACCEPT 47 packets, 3745 bytes)
pkts bytes target prot opt in out source destination





I thought this should be exactly the same as the last time I
did it, so I don't know why it wouldn't work.

Here's the script I used to set up the iptables:



iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j
REDIRECT* --to-ports 8080

iptables -t nat -A OUTPUT -d 10.211.163.215 -p tcp --dport 80
-j REDIRECT* --to-ports 8080

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j*
REDIRECT --to-ports 8080

/etc/init.d/iptables save

/etc/init.d/iptables restart





I'm completely at a loss how to troubleshoot this further, any
advice is much appreciated.































--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Bill Shirley 10-05-2012 08:07 AM

iptables fubared?
 
On 10/5/2012 3:18 AM, Mark Space wrote:

On 10/4/2012 11:27 PM, NOSpaze wrote:

On Thu, 2012-10-04 at 15:00 -0700, Mark Space wrote:
I tried this with tcpdump running on the server. It surprised me
when I

saw tcpdump respond. Firefox still says "cannot connect" from an
external workstation, but my server is seeing something at least.

I won't bore you with all of it, but here's the first bit:

$ sudo tcpdump -i eth0 -n "port 80"
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535
bytes
21:54:16.482166 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags
[S],

seq 2014763367, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
21:54:16.482251 IP 10.211.163.215.http > 99.92.208.198.52890: Flags
[R.], seq 0, ack 2014763368, win 0, length 0
21:54:16.731133 IP 99.92.208.198.52891 > 10.211.163.215.http: Flags
[S],

seq 1148493083, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
21:54:16.731183 IP 10.211.163.215.http > 99.92.208.198.52891: Flags
[R.], seq 0, ack 1148493084, win 0, length 0
21:54:17.080885 IP 99.92.208.198.52890 > 10.211.163.215.http: Flags
[S],

seq 2014763367, win 8192, options [mss 1460,nop,wscale
2,nop,nop,sackOK], length 0
....{{ sinpage }}....
^C
36 packets captured
36 packets received by filter
0 packets dropped by kernel

The server appears to be trying to give a response. (99.92.208.198
is my

workstation external IP address). It's like FF can't get the response.
Hmm.

Ok. Did you check you can ping?


I answered this in my *first* post.


First, routing, second, transport (ISO
layers 3, then 4, then 5, then 6, then 7).

Instead of firefox, use telnet (from windows or linux), this way:

telnet my.ip.addr.ess 80

then write

GET /
(press ENTER TWICE)

You should see html code.




Nope, no HTML, or anything else. Connection reset. I can still SSH
into the box, in case you didn't read that in my OP either.


So SSH, all layers up through 7 are fine.

port 80 = reset.



Try accessing the web page with lynx or links from the server:
links http://127.0.0.1:8080/

Bill

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


All times are GMT. The time now is 08:54 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.