DNAT onto the same external network

DNAT onto the same external network

[Örjan Persson]

Hello,

I'm trying to redirect all SMTP-connections to one external host to
another external host. Both these exists on the same subnet which, if
I've understood it correctly, equals to trouble. ;)

So, reading through the NAT HOWTO and lots of questions to this list
I've tried most of things but unfortunate it doesn't work.

For testing purposes I use port 2525 on first host before taking the
mail-service on that host down permanent.

This is todays situation; trying to redirect ...13:2525 to ...16:25.
                [ net ]
            ´           `
    111.222.333.13   111.222.333.16
    These are external IP's, there's no internal network.

I'm currently using Debian Woody (iptables v1.2.6a) with a freshly
compiled kernel 2.4.18 with NAT support.

The rules I think is the onces that *should* work is these:

## Change destination addresses of mail traffic to 111.222.333.16, port 25.
iptables -t nat -A PREROUTING -p tcp --dport 2525 -i eth0 \
	-j DNAT --to 111.222.333.16:25

## Destination NAT Onto the Same Network
iptables -t nat -A POSTROUTING -d 111.222.333.13 -s 0.0.0.0/0 \
        -p tcp --dport 2525 -j SNAT --to 111.222.333.16

These are also the only rules that currently exists on the machine. If I
then use these and connect from the subnet 111.222.333.0/24 the SNAT
packet counter increases, connecting from another subnet increases the
DNAT counter.

Tracing these with tcpdump shows this output:
[ 111.222.333.13 / mail1.myhostname.com ]
03:04:43.451436 externalhost.com.35736 > mail1.myhostname.com.333.222.111.in-addr.arpa.2525: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
03:04:43.451538 externalhost.com.35736 > mail2.myhostname.com.smtp: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
[...]

[ 111.222.333.16 / mail2.myhostname.com ]
04:44:46.087439 externalhost.com.35735 > mail2.myhostname.com.smtp: S 654494669:654494669(0) win 5840 <mss 1460,sackOK,timestamp 961920329 0,nop,wscale 0> (DF) [tos 0x60]
04:44:46.087480 mail2.myhostname.com.smtp > externalhost.com.35735: S 2345893112:2345893112(0) ack 654494670 win 5792 <mss 1460,sackOK,timestamp 124930458 961920329,nop,wscale 0> (DF)
04:44:46.087705 externalhost.com.35735 > mail2.myhostname.com.smtp: R 654494670:654494670(0) win 32120 [tos 0x60]
04:44:46.087923 111.222.333.1 > mail2.myhostname.com: icmp: redirect myexternalhost.com to host 111.222.333.18
[...]

I don't know why it says icmp: redirect to a host with .18, that's not a
host I know of. Anyway, this is what my iptables -L -v -n -t nat says:
Chain PREROUTING (policy ACCEPT 17228 packets, 677K bytes)
 pkts bytes target     prot opt in     out     source               destination
    3   180 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:2525 to:111.222.333.16:25

Chain POSTROUTING (policy ACCEPT 2106 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 SNAT       tcp  --  *      *       0.0.0.0/0            111.222.333.13       tcp dpt:2525 to:111.222.333.16

Chain OUTPUT (policy ACCEPT 2081 packets, 131K bytes)
 pkts bytes target     prot opt in     out     source               destination

Any ideas, what so ever, will be glady recieved!

Thanks in advance,
Örjan

Re: DNAT onto the same external network

[Örjan Persson]

Hello again,

In the case that this mail reaches the mailing list I would just like to
answer my own question. I had misunderstood the SNAT command, and to get
this correct you/me need to change the IP's in the SNAT command. (This
since this rule is for the reply FROM the source host which has been
routed to with the DNAT command)

>
> ## Destination NAT Onto the Same Network
> iptables -t nat -A POSTROUTING -d 111.222.333.13 -s 0.0.0.0/0 \
>         -p tcp --dport 2525 -j SNAT --to 111.222.333.16

In this case this would've been -d 111.222.333.16 and --to ...13.

Cheers,
Örjan

Örjan Persson (o.p+S.P.A.M.@fobie.net) wrote:
> Hello,
> 
> I'm trying to redirect all SMTP-connections to one external host to
> another external host. Both these exists on the same subnet which, if
> I've understood it correctly, equals to trouble. ;)
> 
> So, reading through the NAT HOWTO and lots of questions to this list
> I've tried most of things but unfortunate it doesn't work.
> 
> For testing purposes I use port 2525 on first host before taking the
> mail-service on that host down permanent.
> 
> This is todays situation; trying to redirect ...13:2525 to ...16:25.
>                 [ net ]
>             ´           `
>     111.222.333.13   111.222.333.16
>     These are external IP's, there's no internal network.
> 
> I'm currently using Debian Woody (iptables v1.2.6a) with a freshly
> compiled kernel 2.4.18 with NAT support.
> 
> The rules I think is the onces that *should* work is these:
> 
> ## Change destination addresses of mail traffic to 111.222.333.16, port 25.
> iptables -t nat -A PREROUTING -p tcp --dport 2525 -i eth0 \
> 	-j DNAT --to 111.222.333.16:25
> 
> ## Destination NAT Onto the Same Network
> iptables -t nat -A POSTROUTING -d 111.222.333.13 -s 0.0.0.0/0 \
>         -p tcp --dport 2525 -j SNAT --to 111.222.333.16
> 
> These are also the only rules that currently exists on the machine. If I
> then use these and connect from the subnet 111.222.333.0/24 the SNAT
> packet counter increases, connecting from another subnet increases the
> DNAT counter.
> 
> Tracing these with tcpdump shows this output:
> [ 111.222.333.13 / mail1.myhostname.com ]
> 03:04:43.451436 externalhost.com.35736 > mail1.myhostname.com.333.222.111.in-addr.arpa.2525: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
> 03:04:43.451538 externalhost.com.35736 > mail2.myhostname.com.smtp: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
> [...]
> 
> [ 111.222.333.16 / mail2.myhostname.com ]
> 04:44:46.087439 externalhost.com.35735 > mail2.myhostname.com.smtp: S 654494669:654494669(0) win 5840 <mss 1460,sackOK,timestamp 961920329 0,nop,wscale 0> (DF) [tos 0x60]
> 04:44:46.087480 mail2.myhostname.com.smtp > externalhost.com.35735: S 2345893112:2345893112(0) ack 654494670 win 5792 <mss 1460,sackOK,timestamp 124930458 961920329,nop,wscale 0> (DF)
> 04:44:46.087705 externalhost.com.35735 > mail2.myhostname.com.smtp: R 654494670:654494670(0) win 32120 [tos 0x60]
> 04:44:46.087923 111.222.333.1 > mail2.myhostname.com: icmp: redirect myexternalhost.com to host 111.222.333.18
> [...]
> 
> I don't know why it says icmp: redirect to a host with .18, that's not a
> host I know of. Anyway, this is what my iptables -L -v -n -t nat says:
> Chain PREROUTING (policy ACCEPT 17228 packets, 677K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     3   180 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:2525 to:111.222.333.16:25
> 
> Chain POSTROUTING (policy ACCEPT 2106 packets, 132K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     1    60 SNAT       tcp  --  *      *       0.0.0.0/0            111.222.333.13       tcp dpt:2525 to:111.222.333.16
> 
> Chain OUTPUT (policy ACCEPT 2081 packets, 131K bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Any ideas, what so ever, will be glady recieved!
> 
> Thanks in advance,
> Örjan