Forward a port ??!!

Forward a port ??!!

[Frédéric Gonzatti]

Hi all,

I''ve got a firewall with three cards : eth0 (LAN), eth1(DMZ) and eth2 
(WAN).
I'm trying to test port forward with iptables but it doesn't work !
eth0 : 172.168.2.1 (I'm not using this card now)
eth1: 192.168.2.1/255.255.255.0
eth2: 192.168.3.1/255.255.255.0

On the DMZ I've put a computer (192.168.2.151/255.255.255.0) with sendmail.
When I'm on this computer a telnet localhost 25 is working fine.
I've connected a computer on eth2 with ip 192.168.3.2/255.255.255.0
I would like to access to the computer with sendmail when I make a 
telnet 192.168.3.1 but I've got a timeout response.

My iptables script is :
#!/bin/sh

echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe ip_tables
modprobe ip_nat_ftp
modprobe iptable_filter
modprobe iptable_nat

iptables -F
iptables -X

iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -t nat -A PREROUTING -d 192.168.3.1 -p tcp --dport 25 -j DNAT 
--to-destination 192.168.2.151:25

iptables -A FORWARD -i eth2 -o eth1 -p tcp --destination-port 25 -m 
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth2 -i eth1 -p tcp --source-port 25 -m state 
--state ESTABLISHED -j ACCEPT

iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

What it's wrong with this script ?

Thanks

    Frederic

Re: Forward a port ??!!

[Antony Stone]

On Tuesday 20 July 2004 8:47 pm, Frédéric Gonzatti wrote:

> Hi all,
>
> I''ve got a firewall with three cards : eth0 (LAN), eth1(DMZ) and eth2
> (WAN).
> I'm trying to test port forward with iptables but it doesn't work !
> eth0 : 172.168.2.1 (I'm not using this card now)
> eth1: 192.168.2.1/255.255.255.0
> eth2: 192.168.3.1/255.255.255.0
>
> On the DMZ I've put a computer (192.168.2.151/255.255.255.0) with sendmail.
> When I'm on this computer a telnet localhost 25 is working fine.
> I've connected a computer on eth2 with ip 192.168.3.2/255.255.255.0
> I would like to access to the computer with sendmail when I make a
> telnet 192.168.3.1 but I've got a timeout response.

> What it's wrong with this script ?

I see nothing obvious wrong with your script; however, what do you get for the 
packet & byte counters from "iptables -L -nvx; iptables -L -t nat -nvx"?   
That should tell you which rules are successfully matching packets, and which 
rules are seeing none.

You might want to try LOGging packets which reach the end of the INPJUT and 
FORWARD chains, so you can see what's trying to get into or through the 
firewall and being blocked by the default DROP policies.

Does the sendmail system try to do ident lookups on incoming connections?   
Does it refuse a connection if there is no ident reply (since you do not 
allow idents into, or through, your firewall)?

I think a couple of LOGging rules, or a packet sniffer on eth1, will tel you 
what's going on.

Regards,

Antony.

-- 
Programming is a Dark Art, and it will always be. The programmer is
fighting against the two most destructive forces in the universe:
entropy and human stupidity. They're not things you can always
overcome with a "methodology" or on a schedule.

 - Damian Conway, Perl God

                                                     Please reply to the list;
                                                           please don't CC me.