[Firewall] transparent dnat timeouts

John Eikenberry jae at zhar.net
Fri Mar 6 19:20:16 CET 2009


I seem to have a similar problem to the one discussed in this thread:
http://rocky.eld.leidenuniv.nl/pipermail/firewall/2007-November/000551.html
That thread never seemed to get resolved, so I'm hoping for better luck
this time. I haven't tried everything in that one yet in case it is out of
date. If I should go through and try the suggested things in that thread
just say so.

I'm using the firewall included with debian lenny (1.8.8.o). This includes
the transparent dnat 0.22BETA. Linux kernel version is 2.6.26. Iptables
version 1.4.2.

My transparent-dnat.conf is pretty basic, just forwarding port 80 at this
point. It is enabled and has my static external IP and my server's IP.

I use the debconf system + some hand editing of the config file. The
debconf is just the basics for interfaces, and the internal nat'd network.

The hand edits are some port forwardings:

NAT_TCP_FORWARD="25,53,80,113>192.168.1.4 \
    4662,6881-6889>192.168.1.7 \
    222>192.168.1.4:22"
NAT_UDP_FORWARD="53>192.168.1.4 \
        4665,4672>192.168.1.7 \
        5060,5061>192.168.1.99"
NAT_IP_FORWARD=""

Plus some entries for ports that are not logged.

DENY_TCP_NOLOG="135"
DENY_UDP_NOLOG="68 137 1026 1027"


The setting has an effect for when I disable the transparent_dnat trying to
go to web server immediately errors out. Whereas if I enable it the
connection suffers a timeout instead. So it seems like maybe the client
data is forwarded on to the server, but the server reply doesn't make it?
There is nothing in the log when this happens.

Thanks for any help.

-- 

John Eikenberry
[jae at zhar.net - http://zhar.net]
[PGP public key @ http://zhar.net/jae_at_zhar_net.gpg]
______________________________________________________________
"Perfection is attained, not when no more can be added, but when no more 
 can be removed." -- Antoine de Saint-Exupery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20090306/1d5d78b9/attachment.pgp>


More information about the Firewall mailing list