Login or Register to Ask a Question and Join Our Community


IP Networking

NAT Forwarding Issue Endian and Vyatta Firewall

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums IP Networking NAT Forwarding Issue Endian and Vyatta Firewall
# 1  
Old 06-30-2010
NAT Forwarding Issue Endian and Vyatta Firewall
I've experienced this same issue with both the Endian Firewall Appliance and a Vyatta Firewall Appliance. Conversely, it works with a Draytek Firewall/Router.

I am trying to forward port 80 traffic to my internal web server which is located on the /24 subnet. I have an external static IP which is on the /29 subnet. I'm relatively well versed in firewalls so I proceeded to set up a DNAT rule to forward from the uplink to the internal server. I also set up firewall rules to allow port 80 into the internal network.

Unfortunately, the DNAT rule is not working as planned. I monitored the connections in the status section of the Endian system and I can see that the DNAT properly directs the packets but they end up being destroyed in the SYN_SENT state. In other words, the TCP packets are not getting a "handshake" (SYN/ACK) from the internal web server. This is also the same with a separate mail server operating on port 443.

Am I missing something simple here? I am currently using a Draytek router in production and it forwards all the ports without issue.

Thanks in advance for you help...
Login or Register to Ask a Question

Previous Thread | Next Thread
Login or Register to Ask a Question

LEARN ABOUT SUNOS

tc-fw

Firewall mark classifier in tc(8)				       Linux					 Firewall mark classifier in tc(8)

NAME

       fw - fwmark traffic control filter

SYNOPSIS

       tc filter ... fw [ classid CLASSID ] [ action ACTION_SPEC ]

DESCRIPTION

       the fw filter allows to classify packets based on a previously set fwmark by iptables.  If it is identical to the filter's handle, the fil-
       ter matches.  iptables allows to mark single packets with the MARK target, or whole connections using CONNMARK.	The benefit of using  this
       filter  instead of doing the heavy-lifting with tc itself is that on one hand it might be convenient to keep packet filtering and classifi-
       cation in one place, possibly having to match a packet just once, and on the other users familiar with iptables but not tc will have a less
       hard time adding QoS to their setups.

OPTIONS

       classid CLASSID
	      Push matching packets to the class identified by CLASSID.

       action ACTION_SPEC
	      Apply an action from the generic actions framework on matching packets.

EXAMPLES

       Take e.g. the following tc filter statement:

	      tc filter add ... handle 6 fw classid 1:1

       will match if the packet's fwmark value is 6.  This is a sample iptables statement marking packets coming in on eth0:

	      iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6

SEE ALSO

       tc(8), iptables(8), iptables-extensions(8)

iproute2							    21 Oct 2015 				 Firewall mark classifier in tc(8)