How to Forward a port (DNAT) ?

How to Forward a port (DNAT) ?

[Frédéric Gonzatti]

Hi all,

Actually I'm using a routeur which is forwarding some ports on my DMZ 
(25,110 etc...). My firewall just allow or some some ports to pass or not.
In few days my Firewall (iptables 1.2.9) which have actually a private 
IP (192.168.3.1) will have a public IP.
So my firewall will have to replace my routeur and to forward ports 25 
and 110 to my DMZ.
To test I've done this  (this configuration is not connected to the 
internet)

                      62.160.1.2 eth2 (WAN Firewall)
                                          |
192.168.2.151                - | 192.168.2.1 eth1(DMZ firewall)
    (with port 25 open)         |
                                           |
                                     172.16.2.1 (eth0) LAN Firewall
I've configured a computer with IP 62.160.1.3 (to simultate an internet 
connection).
I try to make a telnet 62.160.1.2 25 on this computer but it doesn't work.
If I make a telnet on the public IP of my firewall (port 25)  I must see 
the sendmail on my 192.168.2.151 server.

My iptables rules are :
##########################################"
iptables -F
iptables -X

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth2 -j DNAT --to 
192.168.2.151:25

#################################################"

It's a very simple test. But unfortunately it doesn't work.

Thanks for your help

Frederic

Re: How to Forward a port (DNAT) ?

[Antony Stone]

On Saturday 10 July 2004 10:39 pm, Frédéric Gonzatti wrote:

> My iptables rules are :
> ##########################################"
> iptables -F
> iptables -X
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> iptables -t filter -A INPUT -i lo -j ACCEPT
> iptables -t filter -A OUTPUT -o lo -j ACCEPT
>
> iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth2 -j DNAT --to
> 192.168.2.151:25
>
> #################################################"
>
> It's a very simple test. But unfortunately it doesn't work.

You need a FORWARD rule to allow the packets through the firewall after being 
DNATted - you also need to allow the reply packets.

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -d 192.168.2.251 -j ACCEPT

I recommend Oskar Andreasson's tutorial http://iptables-tutorial.frozentux.net 
to you.

Regards,

Antony.

-- 
The lottery is a tax for people who can't do maths.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: How to Forward a port (DNAT) ?

[Frédéric Gonzatti]

Antony Stone wrote:

>On Saturday 10 July 2004 10:39 pm, Frédéric Gonzatti wrote:
>
>  
>
>>My iptables rules are :
>>##########################################"
>>iptables -F
>>iptables -X
>>
>>echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>>iptables -P INPUT DROP
>>iptables -P FORWARD DROP
>>iptables -P OUTPUT DROP
>>
>>iptables -t filter -A INPUT -i lo -j ACCEPT
>>iptables -t filter -A OUTPUT -o lo -j ACCEPT
>>
>>iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth2 -j DNAT --to
>>192.168.2.151:25
>>
>>#################################################"
>>
>>It's a very simple test. But unfortunately it doesn't work.
>>    
>>
>
>You need a FORWARD rule to allow the packets through the firewall after being 
>DNATted - you also need to allow the reply packets.
>
>iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>iptables -A FORWARD -p tcp --dport 25 -d 192.168.2.251 -j ACCEPT
>
>I recommend Oskar Andreasson's tutorial http://iptables-tutorial.frozentux.net 
>to you.
>
>Regards,
>
>Antony.
>
>  
>
Thanks Antony, I will try this.

Frederic