iptables question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

on Sat, Jul 03, 2004 at 05:18:06PM -0500, Gregory Nowak wrote:
> Hi all.
> 
> I am trying to setup iptables to transparently redirect out-bound
> traffic to any host on port 25 to instead go to IP address
> aaa.bbb.ccc.ddd on port 25. So, after doing some searching with
> google, and some playing around, I have the following line in my
> firewall script:
> 
> iptables -t nat -A POSTROUTING -p tcp -o $eth0 --dport 25 -j DNAT
> --to-source aaa.bbb.ccc.ddd

- From a quick look at the iptables man page I see:

This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined  chains  which  are only  called  from those
chains.  It specifies that the destination address of the packet should
be modified (and all future packets in this connection will also be
mangled), and rules should cease being examined.

So it looks like you need to put it in prerouting instead of
postrouting.

> When I run my firewall script to make the new changes take effect, I
> get no errors, but I still don't get the desired effect (I.E. doing
> telnet speech.braille.uwo.ca 25 for example, still gives me Trying
> 129.100.109.30... instead of Trying aaa.bbb.ccc.ddd...

I think if it is done correctly you will get this result, but you should
get the prompt message from aaa.bbb.cccc.ddd

Remember the trying whatever message is coming from telnet not over the
connection and as far as telnet is concerned it is connecting to
129.100.109.30. If I understand corectly this is the essence of
transparency.

> Can someone please show me what I'm doing wrong, because everything
> looks right to me, (although it obviously isn't), and I'm out of
> ideas.

If the above don't work then so am I.

> BTW, I'd prefer to use a full host name in iptables, instead of the IP
> address, however, I get an error when I try that. Am I missing
> something here as well? Thanks for any help in advance.

This host name would be resolved at the time the rules are loaded and
then would not be changed if the DNS records changed. This is likely to
lead to strange behavior eventually.

- -- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan

Thomas Stivers	e-mail: stivers_t at tomass.dyndns.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA50AT5JK61UXLur0RAjlLAJ9KUPmRHxnvJJrmywm07nH7Hw1RqgCfZXlw
Iqx+Sa/OYG0QQuQKPJCyDGE=
=IrfN
-----END PGP SIGNATURE-----




[Index of Archives]     [Linux for the Blind]     [Fedora Discussioin]     [Linux Kernel]     [Yosemite News]     [Big List of Linux Books]
  Powered by Linux