9 Nov 2001 redowl   » (Journeyer)

It's 4am(PST)...do you know what your firewall is doing?

Well, I was wondering why my internal net boxes (such as my whinedoze box) couldn't get to the net, but all outside requests could get in with no problem (i.e. my website).

<yawn> answer...I forgot to bind the iptables PREROUTING chain to
my external interface only. So this:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3:80

was changed to this:

iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3:80

Before the change, PREROUTING the chain, by default, was applied to both interfaces. Thus, all incoming port 80 requests on my internal interface were connecting to itself. I didn't see this until I ran 'tcpdump -i eth1'. Since my workstation is my gateway (for now...), I didn't notice this problem until I tried accessing the web on my internal LAN.

Ah well, case solved.

Good night.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!