Solved

iptables nat:OUTPUT no data?

Posted on 2006-12-01
10
345 Views
Last Modified: 2011-10-03
server:~ # iptables -t nat -L OUTPUT -nv
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            10.10.200.11       tcp dpt:80 redir ports 80
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            10.10.200.11       tcp dpt:443 redir ports 443

Can You tell me why the OUTPUT chain have catched no packets?
That's why those REDIRECTs do not work, I guess.
I assure You that I have spawned many outgoing connections. I guess that's some suse kernel bug. Can anybody confirm? Can anybody show some wokaround except recompiling newest vanila kernel?
Suse 9.2 Linux server 2.6.8-24.24-smp #1 SMP Fri Jul 21 04:06:26 UTC 2006 i686 i686 i386 GNU/Linux
0
Comment
Question by:ravenpl
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 26

Expert Comment

by:jar3817
ID: 18058192
Are you talking about traffic generated on that server going out? Or is this a router that is forwarding traffic? The INPUT chain is used for traffic addressed to the server, the OUTPUT chain is used for traffic originating at the server going out. Everything else (especially in the case of a router) will utilize the FORWARD chain.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 18058446
Hi,

Will you tell me what is that you want to accomplish from using NAT on the OUTPUT Chain ??
Where do you want to redirectthese ports ? For waht reason ?
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18059009
jar3817: I can't see INPUT and FORWARD chains in nat table...
KeremE: transparent proxy for local connections(redirecting to the host itself). It works fine on other systems, hence the suse seems bypassing the OUTPUT chain...
I'm going to compile new vanila kernel next week, but maybe someone is familiar with this issue?
0
 
LVL 40

Expert Comment

by:noci
ID: 18081396
jar3817: natting is done for destination address on prerouting and
for source address on postrouting chains. (w.r.t. forwarding).

I had some vague troubles with iptables until 2.6.15 or so.
iptables had some internal restructuring done over several kernel
releases (now using netfilter xtables). Seems to be a unification of
ipv4 & ipv6 filtering.

Any ipv6 use?, there was some mentioning that there are problems
with connection tracking and also using SNAT/DNAT (REDIRECT is a special case of DNAT
to the own interface.)

Just mo .02, I have no work around.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 18085054
Hi,

Will you do an :

iptables -L

and post the result.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 43

Author Comment

by:ravenpl
ID: 18085155
No. First, why You want to see filter table? I assure You there's many bytes capturd by filter::OUTPUT chain.
I already posted 'iptables -t nat -L OUTPUT' - why it's not enought?
0
 
LVL 40

Expert Comment

by:noci
ID: 18089208
The reason rules are not hit can be:

The only filter items are: (-s is any, interface = any)
-d 10.10.200.11 (so only packet with that destination to start with will match)
-dport 80 or -dport 443 for the other rule.

Are you sending packets to only 10.10.200.11 or to many different systems...
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18091384
noci, I know not all packets would be catched by my rules, but take a look at whole OUTPUT chain - no packets traverse it! And if no packets here, surely no packets catched by my rule - right?
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
0
 
LVL 40

Accepted Solution

by:
noci earned 250 total points
ID: 18091556
Yep, agreed...,

in the netfilter list there is this discussion:
http://lists.netfilter.org/pipermail/netfilter/2004-November/057099.html

It boils down to Suse not having set  IP_NF_NAT_LOCAL set in its config.
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18091659
I knew that Suse is wrong - not mine ;)
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CPU#7 stuck for 22s! 4 270
Debian: failing to add netwok bridge for kvm 2 104
Linux alternative boot CD? 28 102
Linux on a Dell PowerEdge 720 3 119
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now