View Single Post
  #8  
Old 21st April 2006, 09:03
rsacon rsacon is offline
Junior Member
 
Join Date: Apr 2006
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default

need to correct myself, didn't specify NAT table, with "iptables -L -t nat" I see:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:10.0.0.2:80
DNAT tcp -- anywhere anywhere tcp dpt:9641 to:10.0.0.1:22
DNAT tcp -- anywhere anywhere tcp dpt:9642 to:10.0.0.2:22


Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination





Filter tables looks like:
---------------------

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif5.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif5.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif6.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif7.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps
ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0
ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps

Chain OUTPUT (policy ACCEPT)
target prot opt source destination



If I try to login in via ssh and sniff at the interface I get the following tcpdump:
----------------------------------------------------------------------------
debian:/etc/xen# tcpdump port 9641
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:19:33.294688 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: S 2159620162:2159620162(0) win 65535 <mss 1440 ,nop,nop,sackOK>
22:19:33.295608 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: S 1693666106:1693666106(0) ack 2159620163 win 5840 <mss 1460,nop,nop,sackOK>
22:19:33.504404 IP 20118084046.host.telemar.net.br.1277 > 66.68.232.72.reverse.layeredtech.com.9641: . ack 1 win 65535
22:19:33.505583 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:37.530007 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:41.779922 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 1607211346:1607211387(41) ack 1780605239 win 5840
22:19:43.529954 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:19:55.530022 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:20:19.530018 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:20:43.530011 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.nessus: P 1322618440:1322618481(41) ack 1471941687 win 5840
22:21:07.529963 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1277: P 1:42(41) ack 1 win 5840
22:21:17.779923 IP 66.68.232.72.reverse.layeredtech.com.9641 > 20118084046.host.telemar.net.br.1276: P 0:41(41) ack 1 win 5840
.......



Now I have all the data but I still can't see what exactyl is wrong ..

Last edited by rsacon; 21st April 2006 at 09:26.
Reply With Quote