On 9/25/07, Aleksander Kamenik <aleksander@xxxxxxxxxxxxxxx> wrote:
And have you made sure that the smtp box accepts connections from
Indunil Jayasooriya wrote:
> FIRST firewall (its internet ip address - 1.2.3.4/29
> <http://1.2.3.4/29>) I have addes below rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I
> have added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
> --dport 25 -j DNAT --to-destination 192.168.100.3:25
> < http://192.168.100.3:25>
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 25 -m state --state NEW -j ACCEPT
First run tcpdump* or the like on the smtp box to see that incoming
packets arrive. If they don't, see if they arrive on 2.3.4.5 etc.
If they arrive at the destination see how much they go back (tcpdump on
the firewall boxes).
Btw, assuming both of your firewall boxes have similar iptables
rulesets, shouldn't the first one also have a -t filter -A FORWARD ...
-j ACCEPT rule?
No filter rule has been speciied.
Make sure you also have the ESTABLISHED,RELATED -j
ACCEPT rules. I have not added it to prerouting chain. I added just now. Forward, input and output chains have it.
anywhere? it is behing my second firewall. it is @ DMZ ZONE.
YES, It accpets connections from any where. Let's say, If I telnet to port 25 as bellow,
telnet 2.3.4.5 25
it accepts, It works.
Now what I need is that I want to telnet to first firewall, then, it will forward to second firewall, second firewall will forward to actual mail server.
telnet 2.3.4.5 25
it accepts, It works.
Now what I need is that I want to telnet to first firewall, then, it will forward to second firewall, second firewall will forward to actual mail server.
Is your MTA listening on the external interface?
eth0 is the internet ip of firewall. eth1 is connected to mail server.
eth0 is the internet ip of firewall. eth1 is connected to mail server.
* - tcpdump -i eth0 port 25
Regards,
--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@xxxxxxxxxxxxxxx
Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
Thank you
Indunil Jayasooriya
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc