iptables DNAT question with pppoe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi-

A little background first: I'm currently using iptables (linux kernel 2.4.25)
on my router with 5 ethernet segments.   eth0 is inbound from my ISP, eth1
and eth2 are routable IP space assigned by my provider, eth3 and eth4 are
private-numbered NATs.

I just got a DSL from my telco and I'm using PPPoE to connect it (eth5 on the
router) so that I can put a machine in for backup DNS and MX and manage it out
of this machine room.  We have 5 static IPs from our DSL provider, which if
it makes a difference, appears to really be a /29 by watching tcpdump on the
ppp interface.

The PPP is working, and the routes are correct so that the DSL IP addresses
are routed out properly from the DSL.  (ie, I can ping the DSL IP and ssh
to it.)

I have inbound port forwarding setup with DNAT rules on my primary provider's
interface, which work fine.  However, I'm trying to setup DNAT rules for my
DSL address and failing.

Here's what I'm trying to do:

iptables -A INPUT -i ppp0 --protocol tcp --destination-port 587 -j ACCEPT
iptables -A FORWARD -i ppp0 --protocol tcp --destination-port 587 -j ACCEPT
iptables -t nat -A PREROUTING --protocol tcp -i ppp0 --destination <dslip> --destination-port 587 -j DNAT --to <mailserver>:587

<dslip> is the IP address assigned to my DSL by the remote server
<mailserver> is the IP address of my mail server which is on eth1

Then, from a random machine not on my network, I can ping <dslip>, but when I
telnet to <dslip> port 587, the connection times out.  If I run tcpdump on ppp0,
I do see the inbound packet to port 587 from the remote machine.  If I run
tcpdump on eth1, I never see any packets to port 587.

I don't know if the input and forward ACCEPT rules are required, but I've
tried with and without.  The default rule for OUTPUT on the router is
ACCEPT.

I'm stumped, because this syntax works perfectly on the ethernet interface
from my primary provider.  This may be a routing problem, but I don't see it.
Is there any better diagnostics I can be doing to try to clear this up?

Thanks for any input.

Sincerely,
Ed Thomson <ethomson@xxxxxxxxxxxx>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux