ggbal
Occasional Visitor
have one route served as the gateway to the internet. Let's call it routerF. And I have another router (routerB) connected to routerF but with all LAN devices connecting to it.
The problem is that from routerF network 192.168.10.0/24, I want to access the machine in routerB, for example the router web page at 192.168.100.1. But I can't. I can see in the log files that the packets were dropped. But I can't figure out where it was dropped since I accept all in its prerouting chain. Looking for your help and suggestion.
The connection likes this
routerF (192.168.10.0/24)-LAN port 1 (192.168.10.2) ----> routerB (192.168.100.0/24) -WAN port (192.168.100.1)
Here is the routing table in routerF
iptables -L -t nat is
Here is the routing table for routerB
iptables -L -t nat
The drop message in the log files in routerB
The problem is that from routerF network 192.168.10.0/24, I want to access the machine in routerB, for example the router web page at 192.168.100.1. But I can't. I can see in the log files that the packets were dropped. But I can't figure out where it was dropped since I accept all in its prerouting chain. Looking for your help and suggestion.
The connection likes this
routerF (192.168.10.0/24)-LAN port 1 (192.168.10.2) ----> routerB (192.168.100.0/24) -WAN port (192.168.100.1)
Here is the routing table in routerF
Code:
Destination Gateway Genmask Flags MSS Window irtt Iface
66.192.23.1 * 255.255.255.255 UH 0 0 0 vlan2
192.168.100.0 192.168.10.2 255.255.255.0 UG 0 0 0 br0
192.168.10.0 * 255.255.255.0 U 0 0 0 br0
66.192.23.0 * 255.255.248.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 66.192.23.1 0.0.0.0 UG 0 0 0 vlan2
iptables -L -t nat is
Code:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
WANPREROUTING all -- anywhere wan1-ip
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT all -- 192.168.10.0/24 192.168.10.0/24 to:192.168.10.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WANPREROUTING (1 references)
target prot opt source destination
DNAT icmp -- anywhere anywhere to:192.168.10.1
DNAT all -- anywhere anywhere to:192.168.10.2
Here is the routing table for routerB
Code:
estination Gateway Genmask Flags MSS Window irtt Iface
192.168.10.1 * 255.255.255.255 UH 0 0 0 vlan2
192.168.100.0 * 255.255.255.0 U 0 0 0 br0
192.168.10.0 * 255.255.255.0 U 0 0 0 vlan2
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default unknown 0.0.0.0 UG 0 0 0 vlan2
iptables -L -t nat
Code:
target prot opt source destination
DNAT tcp -- anywhere wan1-ip tcp dpt:www to:192.168.100.1:80
ACCEPT all -- anywhere 192.168.100.0/24
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
SNAT all -- 192.168.100.0/24 192.168.100.0/24 to:192.168.100.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain WANPREROUTING (0 references)
target prot opt source destination
DNAT icmp -- anywhere anywhere to:192.168.100.1
The drop message in the log files in routerB
Code:
Nov 24 18:01:08 unknown user.warn kernel: DROP IN=vlan2 OUT= MACSRC=e0:91:e6:ea:a1:28 MACDST=e0:91:e6:ea:a2:67 MACPROTO=0800 SRC=192.168.10.15 DST=192.168.100.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=54713 DPT=80 SEQ=3453556736 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303050101080A1345ACAD0000000004020000)
Nov 24 18:01:10 unknown user.warn kernel: DROP IN=vlan2 OUT= MACSRC=e0:91:e6:ea:a1:28 MACDST=e0:91:e6:ea:a2:67 MACPROTO=0800 SRC=192.168.10.15 DST=192.168.100.1 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=54712 DPT=80 SEQ=597615546 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B4010303050101080A1345B3840000000004020000)