[CentOS] iptables question
Robert Nichols
rnicholsNOSPAM at comcast.net
Tue Feb 24 06:13:28 UTC 2009
Filipe Brandenburger wrote:
> Hi Ward,
>
> On Thu, Feb 19, 2009 at 20:27, <Ward.P.Fontenot at wellsfargo.com> wrote:
>> I add that and telnet to the port on BOX A and get
>> Trying 192.168.0.1...
>> telnet: connect to address 192.168.0.1: Connection refused
>> I can telnet to that port on BOX B and get a successful connection.
>
> The problem is that when BOX B responds, it will respond with a
> 192.168.0.2 source IP, and that will only work if it goes through BOX
> A again (for the DNAT to do the address translation back to
> 192.168.0.1).
>
> In short, this will only work if traffic goes back to the source through BOX A.
>
> For instance, this will NOT happen if the host that is connecting to
> the forwarded port is in the same subnet as hosts BOX A and BOX B.
>
> This will also NOT happen if BOX A is not the default gateway of BOX
> B, or there is somehow another configuration that routes the return
> packets through BOX A (like using an SNAT combined with the DNAT to
> make the connections look like they are coming from BOX A).
A "Connection refused" response indicates that the reply path is
working. If there is no response, telnet will just sit and wait,
eventually displaying a "Connection timed out" message when the
connection times out from the SYN_SENT state (typically about 3
minutes).
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
More information about the CentOS
mailing list