iptables port forwarding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Thu, 2005-05-19 at 21:44 +0800, Mark Quitoriano wrote:
> here's how i did mine

> iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT
> --to-destination 10.0.0.1
> 
> iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx
> 
> because the firewall has different ip than my mail server
> 
You are forwarding it twice

Is 10.0.0.1 the internal interface of the firewall (that contains -d
xxx.xxx.xxx.xxx) or is it a seperate machine

If it is on the same machine, try this (assuming you have a FORWARD rule
too):

iptables -A FORWARD -i $EXTIF -p tcp  --dport 25 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 \
 -j DNAT --to xxx.xxx.xxx.xxx

($EXTIF is the external insterface {eth0, eth1, etc.}, $EXTIP is the
external IP address)

> On 5/19/05, Peter Farrow <peter@xxxxxxxxxxx> wrote:
> > If you're doing true port forwarding, the internal server should see the
> > ip address of the external machine in its logs.
> > 
> > This is how my machines log that do this,  I use this type of entry in
> > iptables:
> > 
> > iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to
> > 10.198.0.17
> > 
> > P.
> > 
> > 
> > Johnny Hughes wrote:
> > 
> > >On Thu, 2005-05-19 at 21:08 +0800, Mark Quitoriano wrote:
> > >
> > >
> > >>i'm having a problem viewing logs on forwarded ports from the firewall
> > >>to another server, i forwarded mail(port 25) from the firewall to an
> > >>internal server. The problem is when i try to view the logs it just
> > >>shows the firewall ip as the sender and not the original sender.
> > >>
> > >>
> > >>
> > >>
> > >In reality, the firewall may be making the connection to the internal
> > >server... and not the external machine.  Especially if the internal
> > >server is on a 192.168.x.x or 10.x.x.x network and you are connecting
> > >via NAT.  If that is the case, the external machine is connecting to the
> > >firewall and the firewall is connecting to the internal server.
> > >
> > >
> > >------------------------------------------------------------------------
> > >
> > >_______________________________________________
> > >CentOS mailing list
> > >CentOS@xxxxxxxxxx
> > >http://lists.centos.org/mailman/listinfo/centos
> > >
> > >
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > http://lists.centos.org/mailman/listinfo/centos
> > 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.centos.org/pipermail/centos/attachments/20050519/10046e94/attachment.bin
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux