( KaTT | 2014. 10. 29., sze – 14:24 )

A host gépre ez jön be:

tcpdump -nnvvS -i eth0 port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:14:23.048442 IP (tos 0x0, ttl 128, id 17772, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.101.2812 > 192.168.1.33.80: Flags [S], cksum 0x7504 (correct), seq 518867653, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
14:14:23.300545 IP (tos 0x0, ttl 128, id 17781, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.101.2813 > 192.168.1.33.80: Flags [S], cksum 0x4ba4 (correct), seq 2994462869, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
14:14:26.003827 IP (tos 0x0, ttl 128, id 17787, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.101.2812 > 192.168.1.33.80: Flags [S], cksum 0x7504 (correct), seq 518867653, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
14:14:26.303294 IP (tos 0x0, ttl 128, id 17792, offset 0, flags [DF], proto TCP (6), length 52)
192.168.1.101.2813 > 192.168.1.33.80: Flags [S], cksum 0x4ba4 (correct), seq 2994462869, win 65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0

A guest gépen ahol fut a webszerver, oda NEM érkeznek be a csomagok.
tcpdump -nnvvS -i eth0 port 80

Azonban, ha megnézem a host-ról az adott IP 80-as portján egy böngészővel, hogy mi van, tökéletesen működik:

tcpdump -nnvvS -i eth0 port 80
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:12:34.051703 IP (tos 0x0, ttl 64, id 1762, offset 0, flags [DF], proto TCP (6), length 60)
192.168.122.1.40970 > 192.168.122.111.80: Flags [S], cksum 0x75aa (incorrect -> 0x5406), seq 763182251, win 14600, options [mss 1460,sackOK,TS val 11156041 ecr 0,nop,wscale 7], length 0
13:12:34.051727 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.122.111.80 > 192.168.122.1.40970: Flags [S.], cksum 0x75aa (incorrect -> 0xf23c), seq 769718620, ack 763182252, win 14480, options [mss 1460,sackOK,TS val 11156041 ecr 11156041,nop,wscale 7], length 0
13:12:34.051747 IP (tos 0x0, ttl 64, id 1763, offset 0, flags [DF], proto TCP (6), length 52)
192.168.122.1.40970 > 192.168.122.111.80: Flags [.], cksum 0x75a2 (incorrect -> 0x5926), seq 763182252, ack 769718621, win 115, options [nop,nop,TS val 11156041 ecr 11156041], length 0

Tehát nem működik a forward a host és az adott IP között.

firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0 eth1 virbr0
sources:
services: ssh
ports: 443/tcp 80/tcp
masquerade: yes
forward-ports: port=80:proto=tcp:toport=80:toaddr=192.168.122.111
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.122.111" service name="http" accept
rule family="ipv4" source address="192.168.122.111" port port="80" protocol="tcp" accept

De ha kiveszem a rich rules blokkokat, akkor sem működik.

Mit nézzek meg, hogy miért nem juthat el a csomag a cél 111-es IP-re?
Miért nem működhet a firewalld?

Sakk-matt,
KaTT :)