9 Nov 2001 (updated 14 Nov 2001 at 07:50 UTC)
»
It's 4am(PST)...do you know what your firewall is
doing?
Well, I was wondering why my internal net
boxes
(such
as
my
whinedoze box) couldn't get to the net, but all
outside requests could get in with no problem (i.e. my
website).
<yawn> answer...I forgot to bind the
iptables
PREROUTING
chain to
my external interface only. So this:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
--to-destination 10.0.0.3:80
was changed to this:
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80
-j DNAT --to-destination 10.0.0.3:80
Before the change, PREROUTING the chain, by
default,
was
applied to both interfaces. Thus, all incoming port 80
requests on my internal interface were connecting to
itself. I didn't see this until I ran 'tcpdump -i eth1'.
Since my workstation is my gateway (for now...), I didn't
notice this problem until I tried accessing the web on my
internal LAN.
Ah well, case solved.
Good night.