proxy+port redirection behaviour

proxy+port redirection behaviour

[Metal Gear]

Hi all,

1) Dedicated Firewall
2) Server
3) Clients

It is a switched network and the 'Server' has only one interface card 
connected to the switch. The 'Server' can only access the internet as i have 
specially blocked the clients on the 'Dedicated Firewall'. Now what i want 
is that 

1) When clients connect to the smtp port of the 'Server' they are redirected 
to the another smtp server on the internet. One more thing my 'Server' is 
not listening on port 25 i just want to have a behaviour of port redirector. 
Redirecting connections destined to the 'Serve' on port 25 to a specific 
server on the internet.

2) Now in this case i wanted to have the behaviour of proxy server. Whenever 
client connects to any ftp (or any other service) server on the internet 
they are silently proxied thru the 'Server' as 'Server' can only access the 
internet.

My clients gateway is set to 'Server'

Is that possible to achieve thru iptables if yes can someone give me a 
direction or iptables script how to accompalish that.

Thanks...

Re: proxy+port redirection behaviour

[Taylor Grant]

Metal Gear wrote:
> Hi all,
> 
> 1) Dedicated Firewall
> 2) Server
> 3) Clients
> 
> It is a switched network and the 'Server' has only one interface card 
> connected to the switch. The 'Server' can only access the internet as i have 
> specially blocked the clients on the 'Dedicated Firewall'. Now what i want 
> is that 
> 
> 1) When clients connect to the smtp port of the 'Server' they are redirected 
> to the another smtp server on the internet. One more thing my 'Server' is 
> not listening on port 25 i just want to have a behaviour of port redirector. 
> Redirecting connections destined to the 'Serve' on port 25 to a specific 
> server on the internet.
> 
> 2) Now in this case i wanted to have the behaviour of proxy server. Whenever 
> client connects to any ftp (or any other service) server on the internet 
> they are silently proxied thru the 'Server' as 'Server' can only access the 
> internet.
> 
> My clients gateway is set to 'Server'
> 
> Is that possible to achieve thru iptables if yes can someone give me a 
> direction or iptables script how to accompalish that.
> 
> Thanks...

I don't know how much of a proxy this set up will behave like, but I think it can be made to work.  Basically you need a couple of rules in your IPTables nat table in the PREROUTING and POSTROUTING chains.

iptables -t nat -A PREROUTING -s $LAN_IP_Subnet -d $Server_LAN_IP -p tcp --dport 25 -j DNAT --to-destination $SMTP_Server_on_INet:$SMTP_Port
iptables -t nat -A POSTROUTING -s $LAN_IP_Subnet -d $SMTP_Server_on_INet -p tcp --dport $SMTP_Port -j SNAT --to-source $INet_Address_of_LAN_Server

Where:
$LAN_IP_Subnet is your IP Subnet in use on your LAN.
$Server_LAN_IP is the IP address of your server / firewall / router in use on your LAN.
$SMTP_Server_on_INet is the IP address of the SMTP server on the INet that you want to use.
$SMTP_Port is the port that the $SMTP_Server_on_INet is listening on.  Note:  This is normally 25, but RFCs have defined that client MUAs sending email to servers are suppose to use port 587 now as 25 is reserved for SMTP server to SMTP server communications.  However this is not done as often as they would like so both 25 and 587 will work.
$INet_Address_of_LAN_Server is the INet address that your server / firewall / router uses to connect to the internet.



Grant. . . .

Fwd: proxy+port redirection behaviour

[Metal Gear]

Hi,

I (for some unknown reason) was thinking that the firewall that your clients 
> used was a Linux box which had a 2nd hardware firewall connecting it to the 
> net. As such I did not take in to account that the host that you would be 
> running this rule on might not already be set up to
> 
forward traffic.


My clients gateway is set to squid proxy and the squid proxy 's gateway is 
set to the firewall. I want to run the rules on my squid box and there are 
no other rules on it. Except the ones that i send in my previous mail.

As such, do you have any other firewall rules set up or policies on chains 
> set to DROP traffic? Also you will need to make sure that 
> /proc/sys/net/ipv4/ip_forward is set to 1 thus configuring your server to 
> forward traffic. You will have to forward traffic as traffic is coming in to 
> your server and then being redirected / forwarded to another server. This 
> could possibly explain the ""filtering that nmap is reporting as I'm not 
> sure what type of error will be generated by trying to forward and then 
> being DROPed. I expect that the traffic will just look like there is 
> something in the way, not a reject or no route to host or any thing like 
> that.


Yes no extra DROP rules My squid box has only one interface so there is any 
neeed of enabling forwarding on it. ?? Anyways i enable forwarding but still 
it does not works.


Thanks

Re: Fwd: proxy+port redirection behaviour

[Taylor, Grant]

> My clients gateway is set to squid proxy and the squid proxy 's gateway is 
> set to the firewall. I want to run the rules on my squid box and there are 
> no other rules on it. Except the ones that i send in my previous mail.

*nod*

> Yes no extra DROP rules My squid box has only one interface so there is any 
> neeed of enabling forwarding on it. ?? Anyways i enable forwarding but still 
> it does not works.

Pardon while I scratch my head and think about this one.  Is there any way that I could get the output from iptables-save to look at?  What happens when you do try to telnet to port 25 on your server?



Grant. . . .