iptables DNAT question with pppoe

iptables DNAT question with pppoe

[Ed Thomson]

Hi-

A little background first: I'm currently using iptables (linux kernel 2.4.25)
on my router with 5 ethernet segments.   eth0 is inbound from my ISP, eth1
and eth2 are routable IP space assigned by my provider, eth3 and eth4 are
private-numbered NATs.

I just got a DSL from my telco and I'm using PPPoE to connect it (eth5 on the
router) so that I can put a machine in for backup DNS and MX and manage it out
of this machine room.  We have 5 static IPs from our DSL provider, which if
it makes a difference, appears to really be a /29 by watching tcpdump on the
ppp interface.

The PPP is working, and the routes are correct so that the DSL IP addresses
are routed out properly from the DSL.  (ie, I can ping the DSL IP and ssh
to it.)

I have inbound port forwarding setup with DNAT rules on my primary provider's
interface, which work fine.  However, I'm trying to setup DNAT rules for my
DSL address and failing.

Here's what I'm trying to do:

iptables -A INPUT -i ppp0 --protocol tcp --destination-port 587 -j ACCEPT
iptables -A FORWARD -i ppp0 --protocol tcp --destination-port 587 -j ACCEPT
iptables -t nat -A PREROUTING --protocol tcp -i ppp0 --destination <dslip> --destination-port 587 -j DNAT --to <mailserver>:587

<dslip> is the IP address assigned to my DSL by the remote server
<mailserver> is the IP address of my mail server which is on eth1

Then, from a random machine not on my network, I can ping <dslip>, but when I
telnet to <dslip> port 587, the connection times out.  If I run tcpdump on ppp0,
I do see the inbound packet to port 587 from the remote machine.  If I run
tcpdump on eth1, I never see any packets to port 587.

I don't know if the input and forward ACCEPT rules are required, but I've
tried with and without.  The default rule for OUTPUT on the router is
ACCEPT.

I'm stumped, because this syntax works perfectly on the ethernet interface
from my primary provider.  This may be a routing problem, but I don't see it.
Is there any better diagnostics I can be doing to try to clear this up?

Thanks for any input.

Sincerely,
Ed Thomson <ethomson@ravecomm.com>

Re: iptables DNAT question with pppoe

[Alistair Tonner]

On May 4, 2004 05:31 pm, Ed Thomson wrote:
> Hi-
>
> A little background first: I'm currently using iptables (linux kernel
> 2.4.25) on my router with 5 ethernet segments.   eth0 is inbound from my
> ISP, eth1 and eth2 are routable IP space assigned by my provider, eth3 and
> eth4 are private-numbered NATs.
>
> I just got a DSL from my telco and I'm using PPPoE to connect it (eth5 on
> the router) so that I can put a machine in for backup DNS and MX and manage
> it out of this machine room.  We have 5 static IPs from our DSL provider,
> which if it makes a difference, appears to really be a /29 by watching
> tcpdump on the ppp interface.
>
> The PPP is working, and the routes are correct so that the DSL IP addresses
> are routed out properly from the DSL.  (ie, I can ping the DSL IP and ssh
> to it.)
>
> I have inbound port forwarding setup with DNAT rules on my primary
> provider's interface, which work fine.  However, I'm trying to setup DNAT
> rules for my DSL address and failing.
>
> Here's what I'm trying to do:
>
> iptables -A INPUT -i ppp0 --protocol tcp --destination-port 587 -j ACCEPT
> iptables -A FORWARD -i ppp0 --protocol tcp --destination-port 587 -j ACCEPT
> iptables -t nat -A PREROUTING --protocol tcp -i ppp0 --destination <dslip>
> --destination-port 587 -j DNAT --to <mailserver>:587
>
	
	I don't see the need for the port number in the --to switch.
	You aren't changing the dport, (I could be wrong about the requirement)

	Why the INPUT rule? You are NOT accepting the packet locally ... you 
	intend to FORWARD it to the other network.

	Possible issue --- mailserver default gateway being on primary ISP
	address -- the packet is coming in dslip and being replied to via 
	primary ISP address space.

	(possible cure, SNAT the dslip packets so that the <mailserver> knows where
	to reply to *other* than the default gateway)

> <dslip> is the IP address assigned to my DSL by the remote server
> <mailserver> is the IP address of my mail server which is on eth1
>
> Then, from a random machine not on my network, I can ping <dslip>, but when
> I telnet to <dslip> port 587, the connection times out.  If I run tcpdump
> on ppp0, I do see the inbound packet to port 587 from the remote machine. 
> If I run tcpdump on eth1, I never see any packets to port 587.

	Sounds like a routing issue ... The packet comes in ppp but doesn't get
	moved out eth1....  If you put a LOG rule above and below the FORWARD 
	rule do you see the packets logged?

	I'd suggest the LOG rules and posting your routing table (sanitized for 
	public consumption of course, but with sufficient detail to decode)
>
> I don't know if the input and forward ACCEPT rules are required, but I've
> tried with and without.  The default rule for OUTPUT on the router is
> ACCEPT.

	The ACCEPT rules should be needed in a properly secured environment, 
	as the suggested policy for FORWARD table is DROP.
>
> I'm stumped, because this syntax works perfectly on the ethernet interface
> from my primary provider.  This may be a routing problem, but I don't see
> it. Is there any better diagnostics I can be doing to try to clear this up?

	LOG rules in FORWARD and POSTROUTING? 

>
> Thanks for any input.
>
> Sincerely,
> Ed Thomson <ethomson@ravecomm.com>