Re: netfilter digest, Vol 1 #514 - 7 msgs (was Re: portforwarding-HOWTO)

[Joel Newkirk <netfilter@newkirk.us>]

On Wednesday 08 January 2003 04:32 am, oarojo@intermediacorp.com wrote:
> Yes I'm using telnet from other network...

Please snip unrelated material out of a digest message when replying - 
the other six messages had nothing to do with this...  A single-line 
response with over 450 quoted lines is a big waste, especially since you 
didn't sign the response making it appear that there might be more you 
had added further on in the quoted part.

Also, you don't answer the first question I posed, or the one another 
helpful participant offered.  

You said you have a mail server behind your firewall and are trying to 
DNAT connections to it from the internet.  You listed two DNAT rules 
(which appeared correct) and two FORWARD rules to let the traffic reach 
the mail server.  (which also appeared correct)

Since you don't offer much detail apart from this about the setup, we 
asked if you have a rule allowing the return traffic back through the 
FORWARD chain, and whether you have forwarding enabled with:
echo "1" > /proc/sys/net/ipv4/ip_forward
At least that's what I believe the other reply meant.  He actually asked 
"Did you turn on Masquerading?", but MASQUERADE in iptables syntax is a 
form of SNAT, while Masquerade in general is simply NAT used to hide 
multiple machines, neither of which has any direct bearing on DNAT to a 
mailserver, so I'm making a guess as to what the question really 
intended.  

Finally, you said you try telnetting to the IP, port 25, and get no 
response.  Is there a service running on the mailserver that is properly 
configured to respond to a telnet connection to port 25 from the 
internet?  If this is the only DNAT you are attempting so far, you might 
be better served trying it to port 80 with apache running on 
192.168.0.5, until you confirm that your DNAT and FORWARD rules and 
everything else are working as expected, THEN change over to port 25/110 
with mail server (sendmail?) running and that way any failure at that 
last step is then very likely a problem with mail configuration, rather 
than firewall DNAT and forwarding.

j

> > Do you have a FORWARD rule to allow return traffic back out?  You
> > don't=20 mention one, so I have to ask.  Something like this would
> > work, if no=20 other more general rule allows it:
> >
> > iptables -A FORWARD -p tcp -o eth0 -s 192.168.0.5 -m multiport  \
> > --sport 25,110 -j ACCEPT
> >
> > Are you trying to telnet from outside the network?  If you are
> > trying to=20 do it from the firewall box or from anywhere on the
> > 192.168 network it=20 will fail unless you have other rules to help
> > 'guide' the traffic back=20 through the firewall.  (of course the
> > rules you list are presumably for=20 traffice from outside...)  See
> > Oskar's tutorial's DNAT info at:
> > http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#DNATT
> >ARGET where he explains the problem and the solution, if you need to
> > allow=20 access from the local network or firewall.