Re: DNAT PREROUTING issue with iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Without all the rules, it's not easy to reply.
Your NAT rules looks fine but some filter are missing (I thing).  FW1
should also accept to FORWARD port 25

If you use rules including --state NEW, you must have other rules like

iptables -t filter -A INPUT/FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT


The best way for you is to troubleshot you firewalls using tcpdump.
Open 2 terminal on each of your firewall, run
# tcpdump -n -i eth0 port 25
and
# tcpdump -n -i eth1 port 25

Then make some telnet on port 25 to understand what is happening.
Verify packet are going through your firewall and their are well NAT
and DNAT.


On 9/25/07, Indunil Jayasooriya <indunil75@xxxxxxxxx> wrote:
> Hi,
>
> I have an DNAT ISSUE with PREROUTING.
>
> This is my setup.
>
> I have 2 firewalls running iptables.
>
> Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall.
> 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in
> that DMZ zone, mail server runnig @ 192.168.100.3
>
> Now I want to DNAT port 25 of FISRT firewall ( i.e  -  its ip address -
> 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall.
> That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone.
>
> These are rules I have added.
>
> FIRST firewall (its internet ip address - 1.2.3.4/29) I have addes below
> rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT
> --to-destination 2.3.4.5:25
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I have
> added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT
> --to-destination 192.168.100.3:25
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW
> -j ACCEPT
>
> Now, it should forward port 25  to  mail server  @  DMZ Zone.
>
> I think I have added these rules properly. But, It does not work.
>
> I checked from outside world . I telneted to port 25 of first firewaal.
> Then, It should forward to mail server @ DMZ zone.
> But, no responce.
>
> WHY is that?
>
> YOUR IDEAS?
>
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
>


-- 
Alain Spineux
aspineux gmail com
May the sources be with you
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux