DNAT Turnaround Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


I'm new to iptables and am having a newbie problem.

I've setup a Linux box in a DMZ to send SMTP traffic to a mail server over port 8025 behind a firewall. The incoming SMTP traffic is converted to port 8025 and sent to the gateway address of the DMZ in the firewall through DNAT. The firewall then NATs the traffic to the SMTP server behind the firewall.

I can telnet from the Linux box to port 8025 on the mail server without a problem. When I telnet to 8025 to the external address of the Linux box the packets make it through to the mail server (confirmed via the server log), but the responses from the mail server aren't making it back to the originating telnet client.

Any help will be greatly appreciated.

Red Hat 9.0 kv. 2.4.20-24.9
iptables  v1.2.7a
 

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 10000 -j ACCEPT  --syn
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 -j ACCEPT  --syn
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 64.65.196.6 -d 0/0 --sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -j ACCEPT
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination 192.168.3.2-192.168.3.2:8025-8025
-A OUTPUT -p tcp -m tcp --dport 8025 -j REDIRECT --to-ports 25-25
COMMIT
# Completed

Best regards,
Ron DiVecchia
Consultant
ForeSight Information Systems Consulting, LLC

Tel: 603.637.1011 x251
Email: rdivecchia@xxxxxxxxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux