still can´t FORWARD tcp on 25 port to another destination...

still can´t FORWARD tcp on 25 port to another destination...

[Stanislav Puffler DiS.]

Hallo,
I can´t still FORWARD any incoming tcp packets (port 25) from Internet 
coming to my external interface eth0 (82.142.67.253) to destination in 
my network (192.168.200.2). Here is my complete ruleset from 
iptables-save. I am 2 days without any idea or success :( Could anyone 
help please ?

# Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004
*nat
:PREROUTING ACCEPT [342:36496]
:POSTROUTING ACCEPT [42:3408]
:OUTPUT ACCEPT [66:5557]
-A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
-A PREROUTING -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
-A PREROUTING -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
-A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 
192.168.200.2:25
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Mar 12 14:53:44 2004
# Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004
*filter
:INPUT DROP [83:8337]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:spoofing - [0:0]
:syn_flood - [0:0]
:tcp_segmenty - [0:0]
:udp_pakety - [0:0]
-A INPUT -i eth0 -p tcp -j tcp_segmenty
-A INPUT -i eth0 -p udp -j udp_pakety
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with 
icmp-port-unreachable
-A INPUT -i eth0 -j spoofing
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn_flood
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -s 80.95.96.7 -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -j spoofing
-A FORWARD -d 192.168.200.2 -i eth0 -p tcp -m tcp --dport 25 -m state 
--state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -s 192.168.0.1 -j ACCEPT
-A OUTPUT -s 192.168.200.1 -j ACCEPT
-A OUTPUT -s 82.142.67.253 -j ACCEPT
-A spoofing -s 192.168.0.0/255.255.0.0 -j DROP
-A spoofing -s 172.16.0.0/255.240.0.0 -j DROP
-A spoofing -s 10.0.0.0/255.0.0.0 -j DROP
-A syn_flood -m limit --limit 1/sec -j RETURN
-A syn_flood -j DROP
-A tcp_segmenty -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_segmenty -p tcp -m tcp --dport 80 -j ACCEPT
-A udp_pakety -p udp -m udp --dport 53 -j ACCEPT
COMMIT
# Completed on Fri Mar 12 14:53:44 2004

Thanks in advance,
Stanislav Puffler.

Re: still can´t FORWARD tcp on 25 port to another destination...

[Stanislav Puffler DiS.]

Stanislav Puffler DiS. wrote:

> Hallo,
> I can´t still FORWARD any incoming tcp packets (port 25) from Internet 
> coming to my external interface eth0 (82.142.67.253) to destination in 
> my network (192.168.200.2). Here is my complete ruleset from 
> iptables-save. I am 2 days without any idea or success :( Could anyone 
> help please ?
>
> # Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004
> *nat
> :PREROUTING ACCEPT [342:36496]
> :POSTROUTING ACCEPT [42:3408]
> :OUTPUT ACCEPT [66:5557]
> -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 
> 3128
> -A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP
> -A PREROUTING -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP
> -A PREROUTING -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT 
> --to-destination 192.168.200.2:25
> -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
> # Completed on Fri Mar 12 14:53:44 2004
> # Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004
> *filter
> :INPUT DROP [83:8337]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> :spoofing - [0:0]
> :syn_flood - [0:0]
> :tcp_segmenty - [0:0]
> :udp_pakety - [0:0]
> -A INPUT -i eth0 -p tcp -j tcp_segmenty
> -A INPUT -i eth0 -p udp -j udp_pakety
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
> -A INPUT -i eth1 -j ACCEPT
> -A INPUT -i eth2 -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with 
> icmp-port-unreachable
> -A INPUT -i eth0 -j spoofing
> -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn_flood
> -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
> -A INPUT -s 80.95.96.7 -i eth0 -j ACCEPT
> -A INPUT -i eth1 -j ACCEPT
> -A INPUT -i eth2 -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A FORWARD -i eth1 -j ACCEPT
> -A FORWARD -i eth2 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -j ACCEPT
> -A FORWARD -i eth0 -j spoofing
> -A FORWARD -d 192.168.200.2 -i eth0 -p tcp -m tcp --dport 25 -m state 
> --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -s 127.0.0.1 -j ACCEPT
> -A OUTPUT -s 192.168.0.1 -j ACCEPT
> -A OUTPUT -s 192.168.200.1 -j ACCEPT
> -A OUTPUT -s 82.142.67.253 -j ACCEPT
> -A spoofing -s 192.168.0.0/255.255.0.0 -j DROP
> -A spoofing -s 172.16.0.0/255.240.0.0 -j DROP
> -A spoofing -s 10.0.0.0/255.0.0.0 -j DROP
> -A syn_flood -m limit --limit 1/sec -j RETURN
> -A syn_flood -j DROP
> -A tcp_segmenty -p tcp -m tcp --dport 25 -j ACCEPT
> -A tcp_segmenty -p tcp -m tcp --dport 80 -j ACCEPT
> -A udp_pakety -p udp -m udp --dport 53 -j ACCEPT
> COMMIT
> # Completed on Fri Mar 12 14:53:44 2004
>
> Thanks in advance,
> Stanislav Puffler.


Couldn´t be a problem, that I don´t have any modules in kernel to 
forward these packets or make masquerade ? Is it possible to install 
iptables if I haven´t got any modules or functions compiled in kernel ?
Thank a lot. Stanley

Re: still can´t FORWARD tcp on 25 port to another destination...

[Antony Stone]

On Friday 12 March 2004 4:54 pm, Stanislav Puffler DiS. wrote:

> Stanislav Puffler DiS. wrote:

> Could it be a problem, that I don´t have any modules in kernel to
> forward these packets or make masquerade ? Is it possible to install
> iptables if I haven´t got any modules or functions compiled in kernel ?

This could be your problem, yes.

In order to do nat, you *must* have nat support either compiled in or loaded 
as a module - otherwise your netfilter setup just can't do it.

Do you get any errors when you enter the nat rules?

Antony.

-- 
You can spend the whole of your life trying to be popular,
but at the end of the day the size of the crowd at your funeral
will be largely dictated by the weather.

 - Frank Skinner

                                                     Please reply to the list;
                                                           please don't CC me.

Re: still can´t FORWARD tcp on 25 port to another destination...

[Stanislav Puffler DiS.]

Antony Stone wrote:

>On Friday 12 March 2004 4:54 pm, Stanislav Puffler DiS. wrote:
>
>  
>
>>Stanislav Puffler DiS. wrote:
>>    
>>
>
>  
>
>>Could it be a problem, that I don´t have any modules in kernel to
>>forward these packets or make masquerade ? Is it possible to install
>>iptables if I haven´t got any modules or functions compiled in kernel ?
>>    
>>
>
>This could be your problem, yes.
>
>In order to do nat, you *must* have nat support either compiled in or loaded 
>as a module - otherwise your netfilter setup just can't do it.
>
>Do you get any errors when you enter the nat rules?
>
>Antony.
>  
>
The problem is, that I don´t get any errors when entering the nat rules 
:o( Don´t know where is it ...