Re: DNAT PREROUTING issue with IPTABLES

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Indunil Jayasooriya ha scritto:


Hi,

I have an DNAT ISSUE with PREROUTING.

This is my setup.

I have 2 firewalls running iptables.
Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall. 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 192.168.100.3
Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29 ) of SECOND firewall. That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone. 

These are rules I have added.
FIRST firewall (its internet ip address - 1.2.3.4/29 ) I have addes below rule.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
That should forward port 25 to SECOND firewall. in SECOND firewall, I have added 2 below rules.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5> --dport 25 -j DNAT --to-destination 192.168.100.3:25 <http://192.168.100.3:25>
iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> --dport 25 -m state --state NEW -j ACCEPT 

Now, it should forward port 25  to  mail server  @  DMZ Zone.

I think I have added these rules properly. But, It does not work.
I checked from outside world . I telneted to port 25 of first firewaal. Then, It should forward to mail server @ DMZ zone. 
But, no responce.

WHY is that?

YOUR IDEAS?



May it be a problem of SNAT?

I try to explain my guess:
FW1: firewall at 1.2.3.4
FW2: firewall at 2.3.4.5
SRV: mail server at 192.168.100.3

I telnet FW1 on port 25 from a PC with ip address 4.5.6.7.
FW1 forwards the connection to FW2.
FW2 forwards the connection to SRV.
SRV now receive packets from 4.5.6.7 and sends packets back to that address.
I think that the connection shall fail if those packets on their way to 4.5.6.7 get 'snat-ted' to an address different from 1.2.3.4. 

Apologies for my poor English !


--
Thank you
Indunil Jayasooriya


You're welcome
Riccardo Penco
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux