Port Forwarding only works outside?

Port Forwarding only works outside?

[Todd Hartman]

[-- Attachment #1: Type: text/plain, Size: 792 bytes --]

I've come across an issue I just don't know how to solve. I'm not even
certain it's an issue with iptables itself, but I thought that someone here
might have run across this before and have some advice.
 
I've got a RH7.3 box set up with two NICs. Eth0 is external and eth1 is
internal. Internal network is 192.168.1.* with netmask 255.255.255.128. I
need to forward traffic on eth0, port 25 to 192.168.1.29. The firewall is
192.168.1.1 - both in the same subnet as I understand it.
 
When I forward SMTP traffic to 192.168.1.29 and try to telnet to port 25 to
test SMTP, it just sits there, unresponsive. BUT, if I forward eth0 port 25
traffic to a machine out on the internet, it works just fine.
 
I suspect a networking problem, but I don't know well enough to pin it down
myself.
 
-T
 

[-- Attachment #2: Type: text/html, Size: 1856 bytes --]

Re: Port Forwarding only works outside?

[Sander Sneekes]

try 

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 25 -d 192.168.1.29 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT --to
192.168.1.29

x.x.x.x = eth0 external ip

On Tue, 2002-12-10 at 16:31, Todd Hartman wrote:
> I've come across an issue I just don't know how to solve. I'm not even
> certain it's an issue with iptables itself, but I thought that someone
> here might have run across this before and have some advice.
>  
> I've got a RH7.3 box set up with two NICs. Eth0 is external and eth1
> is internal. Internal network is 192.168.1.* with netmask
> 255.255.255.128. I need to forward traffic on eth0, port 25 to
> 192.168.1.29. The firewall is 192.168.1.1 - both in the same subnet as
> I understand it.
>  
> When I forward SMTP traffic to 192.168.1.29 and try to telnet to port
> 25 to test SMTP, it just sits there, unresponsive. BUT, if I forward
> eth0 port 25 traffic to a machine out on the internet, it works just
> fine.
>  
> I suspect a networking problem, but I don't know well enough to pin it
> down myself.
>  
> -T
>  

RE: Port Forwarding only works outside?

[Brad Morgan]

Given the netmask in the original post I think the first rule should be:

iptables -t nat -A POSTROUTING -s 192.168.1.0/25 -j MASQUERADE

Regards,

Brad

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Sander Sneekes
Sent: Tuesday, December 10, 2002 9:29 AM
To: Todd Hartman
Cc: 'netfilter@lists.netfilter.org'
Subject: Re: Port Forwarding only works outside?


try 

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 25 -d 192.168.1.29 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT --to
192.168.1.29

x.x.x.x = eth0 external ip

On Tue, 2002-12-10 at 16:31, Todd Hartman wrote:
> I've come across an issue I just don't know how to solve. I'm not even
> certain it's an issue with iptables itself, but I thought that someone
> here might have run across this before and have some advice.
>  
> I've got a RH7.3 box set up with two NICs. Eth0 is external and eth1
> is internal. Internal network is 192.168.1.* with netmask
> 255.255.255.128. I need to forward traffic on eth0, port 25 to
> 192.168.1.29. The firewall is 192.168.1.1 - both in the same subnet as
> I understand it.
>  
> When I forward SMTP traffic to 192.168.1.29 and try to telnet to port
> 25 to test SMTP, it just sits there, unresponsive. BUT, if I forward
> eth0 port 25 traffic to a machine out on the internet, it works just
> fine.
>  
> I suspect a networking problem, but I don't know well enough to pin it
> down myself.
>  
> -T
>  

RE: Port Forwarding only works outside?

[Todd Hartman]

I tried the suggestion and I'm sorry to say that it didn't work either. I
realize I didn't give very exacting details on what we had already. I'll do
that now. Here's the /etc/sysconfig/iptables file I'm currently working
with. This was generated through the webmin interface.

  # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
  *nat
  :OUTPUT ACCEPT [0:0]
  :PREROUTING ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -o eth0 -j MASQUERADE
  -A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination
192.168.1.29:25
  COMMIT
  # Completed on Tue Dec 10 10:52:38 2002
  # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
  *mangle
  :PREROUTING ACCEPT [272:72783]
  :INPUT ACCEPT [6571:1221017]
  :FORWARD ACCEPT [2516:1428106]
  :OUTPUT ACCEPT [296:174336]
  :POSTROUTING ACCEPT [7989:3971198]
  COMMIT
  # Completed on Tue Dec 10 10:52:38 2002
  # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
  *filter
  :INPUT ACCEPT [273:72823]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [296:174336]
  COMMIT
  # Completed on Tue Dec 10 10:52:38 2002

I have another server at home that's doing pretty much the same thing with
different ports (for games on a machine behind the firewall) and that's
working fine. If I change that 192.168.1.29:25 to my home server's IP, it
forwards just fine. Also, on this firwall, I can telnet to 192.168.1.29 25
but I can't seem to forward to it.

-T

-----Original Message-----
From: Sander Sneekes [mailto:sander@dmdsecure.com] 
Sent: Tuesday, December 10, 2002 10:29 AM
To: Todd Hartman
Cc: 'netfilter@lists.netfilter.org'
Subject: Re: Port Forwarding only works outside?


try 

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE iptables -A
FORWARD -p tcp --dport 25 -d 192.168.1.29 -j ACCEPT iptables -A PREROUTING
-t nat -p tcp --dport 25 -d x.x.x.x -j DNAT --to 192.168.1.29

x.x.x.x = eth0 external ip

On Tue, 2002-12-10 at 16:31, Todd Hartman wrote:
> I've come across an issue I just don't know how to solve. I'm not even
> certain it's an issue with iptables itself, but I thought that someone 
> here might have run across this before and have some advice.
>  
> I've got a RH7.3 box set up with two NICs. Eth0 is external and eth1
> is internal. Internal network is 192.168.1.* with netmask 
> 255.255.255.128. I need to forward traffic on eth0, port 25 to 
> 192.168.1.29. The firewall is 192.168.1.1 - both in the same subnet as 
> I understand it.
>  
> When I forward SMTP traffic to 192.168.1.29 and try to telnet to port
> 25 to test SMTP, it just sits there, unresponsive. BUT, if I forward 
> eth0 port 25 traffic to a machine out on the internet, it works just 
> fine.
>  
> I suspect a networking problem, but I don't know well enough to pin it
> down myself.
>  
> -T
>  

Re: Port Forwarding only works outside?

[Andrea Rossato]

iptables -A POSTROUTING -o eth1 -j MASQERADE
you need to change source address of the forwarded traffic, so that it 
can go back for the same way it came in from.

andrea
 >

Todd Hartman wrote:
> I tried the suggestion and I'm sorry to say that it didn't work either. I
> realize I didn't give very exacting details on what we had already. I'll do
> that now. Here's the /etc/sysconfig/iptables file I'm currently working
> with. This was generated through the webmin interface.
> 
>   # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
>   *nat
>   :OUTPUT ACCEPT [0:0]
>   :PREROUTING ACCEPT [0:0]
>   :POSTROUTING ACCEPT [0:0]
>   -A POSTROUTING -o eth0 -j MASQUERADE
>   -A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination
> 192.168.1.29:25
>   COMMIT
>   # Completed on Tue Dec 10 10:52:38 2002
>   # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
>   *mangle
>   :PREROUTING ACCEPT [272:72783]
>   :INPUT ACCEPT [6571:1221017]
>   :FORWARD ACCEPT [2516:1428106]
>   :OUTPUT ACCEPT [296:174336]
>   :POSTROUTING ACCEPT [7989:3971198]
>   COMMIT
>   # Completed on Tue Dec 10 10:52:38 2002
>   # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
>   *filter
>   :INPUT ACCEPT [273:72823]
>   :FORWARD ACCEPT [0:0]
>   :OUTPUT ACCEPT [296:174336]
>   COMMIT
>   # Completed on Tue Dec 10 10:52:38 2002
> 
> I have another server at home that's doing pretty much the same thing with
> different ports (for games on a machine behind the firewall) and that's
> working fine. If I change that 192.168.1.29:25 to my home server's IP, it
> forwards just fine. Also, on this firwall, I can telnet to 192.168.1.29 25
> but I can't seem to forward to it.
> 
> -T
> 
> -----Original Message-----
> From: Sander Sneekes [mailto:sander@dmdsecure.com] 
> Sent: Tuesday, December 10, 2002 10:29 AM
> To: Todd Hartman
> Cc: 'netfilter@lists.netfilter.org'
> Subject: Re: Port Forwarding only works outside?
> 
> 
> try 
> 
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE iptables -A
> FORWARD -p tcp --dport 25 -d 192.168.1.29 -j ACCEPT iptables -A PREROUTING
> -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT --to 192.168.1.29
> 
> x.x.x.x = eth0 external ip
> 
> On Tue, 2002-12-10 at 16:31, Todd Hartman wrote:
> 
>>I've come across an issue I just don't know how to solve. I'm not even
>>certain it's an issue with iptables itself, but I thought that someone 
>>here might have run across this before and have some advice.
>> 
>>I've got a RH7.3 box set up with two NICs. Eth0 is external and eth1
>>is internal. Internal network is 192.168.1.* with netmask 
>>255.255.255.128. I need to forward traffic on eth0, port 25 to 
>>192.168.1.29. The firewall is 192.168.1.1 - both in the same subnet as 
>>I understand it.
>> 
>>When I forward SMTP traffic to 192.168.1.29 and try to telnet to port
>>25 to test SMTP, it just sits there, unresponsive. BUT, if I forward 
>>eth0 port 25 traffic to a machine out on the internet, it works just 
>>fine.
>> 
>>I suspect a networking problem, but I don't know well enough to pin it
>>down myself.
>> 
>>-T
>> 
> 
> 

RE: Port Forwarding only works outside?

[Todd Hartman]

This seemed to do the trick! Thanks. (Though I'm not sure why it's working
now when my box at home doesn't have this and IT works okay. Very strange
indeed. Oh well.)

-T


-----Original Message-----
From: Andrea Rossato [mailto:mailing_list@istitutocolli.org] 
Sent: Tuesday, December 10, 2002 11:53 AM
To: netfilter@lists.netfilter.org
Subject: Re: Port Forwarding only works outside?


iptables -A POSTROUTING -o eth1 -j MASQERADE
you need to change source address of the forwarded traffic, so that it 
can go back for the same way it came in from.

andrea
 >

Todd Hartman wrote:
> I tried the suggestion and I'm sorry to say that it didn't work 
> either. I realize I didn't give very exacting details on what we had 
> already. I'll do that now. Here's the /etc/sysconfig/iptables file I'm 
> currently working with. This was generated through the webmin 
> interface.
> 
>   # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
>   *nat
>   :OUTPUT ACCEPT [0:0]
>   :PREROUTING ACCEPT [0:0]
>   :POSTROUTING ACCEPT [0:0]
>   -A POSTROUTING -o eth0 -j MASQUERADE
>   -A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT 
> --to-destination 192.168.1.29:25
>   COMMIT
>   # Completed on Tue Dec 10 10:52:38 2002
>   # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
>   *mangle
>   :PREROUTING ACCEPT [272:72783]
>   :INPUT ACCEPT [6571:1221017]
>   :FORWARD ACCEPT [2516:1428106]
>   :OUTPUT ACCEPT [296:174336]
>   :POSTROUTING ACCEPT [7989:3971198]
>   COMMIT
>   # Completed on Tue Dec 10 10:52:38 2002
>   # Generated by iptables-save v1.2.5 on Tue Dec 10 10:52:38 2002
>   *filter
>   :INPUT ACCEPT [273:72823]
>   :FORWARD ACCEPT [0:0]
>   :OUTPUT ACCEPT [296:174336]
>   COMMIT
>   # Completed on Tue Dec 10 10:52:38 2002
> 
> I have another server at home that's doing pretty much the same thing 
> with different ports (for games on a machine behind the firewall) and 
> that's working fine. If I change that 192.168.1.29:25 to my home 
> server's IP, it forwards just fine. Also, on this firwall, I can 
> telnet to 192.168.1.29 25 but I can't seem to forward to it.
> 
> -T
> 
> -----Original Message-----
> From: Sander Sneekes [mailto:sander@dmdsecure.com]
> Sent: Tuesday, December 10, 2002 10:29 AM
> To: Todd Hartman
> Cc: 'netfilter@lists.netfilter.org'
> Subject: Re: Port Forwarding only works outside?
> 
> 
> try
> 
> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE 
> iptables -A FORWARD -p tcp --dport 25 -d 192.168.1.29 -j ACCEPT 
> iptables -A PREROUTING -t nat -p tcp --dport 25 -d x.x.x.x -j DNAT 
> --to 192.168.1.29
> 
> x.x.x.x = eth0 external ip
> 
> On Tue, 2002-12-10 at 16:31, Todd Hartman wrote:
> 
>>I've come across an issue I just don't know how to solve. I'm not even 
>>certain it's an issue with iptables itself, but I thought that someone 
>>here might have run across this before and have some advice.
>> 
>>I've got a RH7.3 box set up with two NICs. Eth0 is external and eth1 
>>is internal. Internal network is 192.168.1.* with netmask 
>>255.255.255.128. I need to forward traffic on eth0, port 25 to 
>>192.168.1.29. The firewall is 192.168.1.1 - both in the same subnet as 
>>I understand it.
>> 
>>When I forward SMTP traffic to 192.168.1.29 and try to telnet to port 
>>25 to test SMTP, it just sits there, unresponsive. BUT, if I forward 
>>eth0 port 25 traffic to a machine out on the internet, it works just 
>>fine.
>> 
>>I suspect a networking problem, but I don't know well enough to pin it 
>>down myself.
>> 
>>-T
>> 
> 
>