The setup is: debian proxy-server -> linsys router -> internal ubuntu server
Problem is: I can access the ubuntu web server (apache2) by entering 192.168.1.128 in a browser on my debian proxy. However, my shorewall forwarding rule does not make it through using either of the following rules:
#Web/DNAT net loc:192.168.1.128
#DNAT net loc:192.168.1.128:80 tcp 80 - 70.90.XXX.XX
Extra info:
I have the internal ubuntu server accepting all connections right now for debugging purposes (also have shorewall installed)
snipped of output from 'shorewall show log' (on the debian machine):
Feb 1 19:37:15 fw2loc:ACCEPT:IN= OUT=eth1 SRC=192.168.1.137 DST=224.0.0.251 LEN=104 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=84
Feb 1 19:40:31 fw2loc:ACCEPT:IN= OUT=eth1 SRC=192.168.1.137 DST=224.0.0.251 LEN=104 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=84
output of 'shorewall show nat' (on the debian machine):
Chain PREROUTING (policy ACCEPT 235 packets, 74689 bytes)
pkts bytes target prot opt in out source destination
12 724 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 8 packets, 670 bytes)
pkts bytes target prot opt in out source destination
3 242 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7 packets, 611 bytes)
pkts bytes target prot opt in out source destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source destination
1 69 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0
Chain net_dnat (1 references)
pkts bytes target prot opt in out source destination
2 128 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.1.128
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.128
EDIT:
I should also mention that after checking the apache logs on the ubuntu machine, none of the requests seem to be making it. When I make a request from the LAN, I get an entry in the access log, but when making a request from outside the lan via the proxy, I get nothing.
Output of 'iptables -vnL' on the proxy:
22 1280 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
22 1280 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0
22 1280 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
22 1280 smurfs all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW
22 1280 tcpflags tcp -- * * 0.0.0.0/0 0.0.0.0/0
22 1280 net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
22 1280 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.128 tcp dpt:80
Not really sure what to make of this...
I am starting to wonder if there is a fundamental problem with trying to go through the linksys router and if I should just go debian -> ubuntu with a crossover...
EDIT 2
It looks like packets are being forwarded correctly (I think that is what the output from 'shorewall show nat' did for us)
Output from 'tcpdump -n -i port 80'
public interface:
20:15:40.458118 IP 71.182.212.251.57261 > 70.90.XXX.XXX.80: S 2834662754:2834662754(0) win 65535 <mss 1452,nop,wscale 3,nop,nop,timestamp 25163236 0,sackOK,eol>
private interface:
20:15:45.405347 IP 71.182.212.251.57261 > 192.168.1.128.80: S 2834662754:2834662754(0) win 65535
After a few of the above packets it turns into:
20:16:17.623882 IP 71.182.212.251.57254 > 70.90.XXX.XXX.80: S 1673429824:1673429824(0) win 65535 <mss 1452,sackOK,eol>
and
20:16:17.623917 IP 71.182.212.251.57254 > 192.168.1.128.80: S 1673429824:1673429824(0) win 65535 <mss 1452,sackOK,eol>