doing prerouting/postrouting/output logfile problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > firewall
> > eth0 = x.x.x.x (public ip)
> > eth1 = 192.168.2.1 (internal ip)
> >
> > webserver
> >
> > eth0 = 192.168.2.2
> >
> >  ${IPTABLES} -t nat -A PREROUTING -p tcp -d x.x.x.x --dport 80 -j
> DNAT
> > --to-destination 192.168.2.2
> 
> 
> >  ${IPTABLES} -t nat -A POSTROUTING -p tcp -d 192.168.2.2 --dport 80
> -j
> > SNAT --to-source 192.168.2.1
> 
> >  ${IPTABLES} -t nat -A OUTPUT -p tcp -d x.x.x.x --dport 80 -j DNAT
> > --to-destination 192.168.2.2
> 
> If you remove the SNAT rule from the POSTROUTING chain you will get
> correct
> entries in your webserver logfile.   However this will then break your
> 
> internal clients being able to access the public IP of the webserver
> (because
> the reply will come back from the private IP and the client will not
> be
> happy).
> 
> I suggest you modify the SNAT rule so that it only applies to packets
> from
> your local network:
> 
> ${IPTABLES} -t nat -A POSTROUTING -p tcp -s 192.168.2.0/24 -d
> 192.168.2.2
> --dport 80 -j SNAT --to-source 192.168.2.1
> 
> The you will see correct public IPs in your webserver logifle for
> extenal
> visitors, and 192.168.2.1 for all internal accesses - presumably you'd
> be
> happy with this ?
> 
> > I also use these lines for do mail traffic and I had some problems
> with
> > open Relaying.
> 
> Open Relaying is (a) a very bad thing to do, (b) nothing to do with
> netfilter
> rules, and (c) quite likely to get your mail server blocked by various
> 
> anti-spam databases.   I suggest you correct your mail server
> configuration
> file so that it is not an open relay.
> 
> > Also because 192.168.2.1 was allowed to mail.

	Presumably he was SNATting all packets originally... if he 
happened to be
	SNATting stuff through port25, the mailserver wouldn't know to 
block mail
	from outside.... since ... everything looked like it was inside 
... or at least
	the firewall...
	 
	Alistair



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux