Brad Smith wrote:
On Thu, 16 Sep 2004 08:41:34 -0400, Christopher K. Johnson <ckjohnson@xxxxxxx> wrote:
Brad Smith wrote:
The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected. All chains on the gateway ACCEPT by default The firewall on the client and vnc server is down
With iptables forwarded packets would not hit the INPUT or OUTPUT chains. That was only true of ipchains.
I should have phrased that better. I meant that I didn't expect the
packets to hit INPUT or OUTPUT and they didn't. =:)
Given Kenneth's observation about interfaces I would double-check the address in the nat rule, and I would verify that the interface connecting to the vnc server is correctly addressed and masked to include that address. My guess is that one of those is wrong and the gw is trying to deliver the nat'd packets via its default gateway.
Well, here's an interesting development. It turns out that everything works fine if the client is on the other side of the gateway from the server. It's only connections between two internal machines that break and I think I just figured out why.
Iptables is actually doing its job perfectly: when the client sends a request to the server it is forwarded to the vnc server. The vnc server recieves the vnc client's SYN packet and responds with a SYN/ACK. But the client is expecting a response from the gateway, not the vnc server and so responds with an RST instead of an ACK. Repeat ad infinitum.
So basically, for this to work we'd need to do both DNAT for the redirection and SNAT to keep the response from confusing the client. As far as I know there's no way to do that with a single rule but, just out of curiosity, I'd love to hear if anyone has ideas.
How is any internet connection working through the gateway without SNAT or MASQUERADE? I thought this was required for all protocols?
Basically any connection going out from an internal machine would have to be SNATed to your real internet address so the box at the other end knows the right internet (not lan) source IP to send responses to.