From: "Riccardo (SCASI)" <r.penco@scasinet.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES
Date: Tue, 25 Sep 2007 08:54:45 +0000 [thread overview]
Message-ID: <46F8CCD5.2080406@scasinet.com> (raw)
In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com>
Indunil Jayasooriya ha scritto:
>
> Hi,
>
> I have an DNAT ISSUE with PREROUTING.
>
> This is my setup.
>
> I have 2 firewalls running iptables.
>
> Pls asume 1.2.3.4/29 is the internet interace of
> FIRST firewall.
> 2.3.4.5/29 is the internet interface of SECOND
> firewall. it has DMZ zone. in that DMZ zone, mail server runnig @
> 192.168.100.3
>
> Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address -
> 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29
> ) of SECOND firewall. That firewal DNATs port 25 to
> mail server @ 192.168.100.3 in DMZ zone.
>
> These are rules I have added.
>
> FIRST firewall (its internet ip address - 1.2.3.4/29
> ) I have addes below rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I
> have added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
> --dport 25 -j DNAT --to-destination 192.168.100.3:25
> <http://192.168.100.3:25>
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 25 -m state --state NEW -j ACCEPT
>
> Now, it should forward port 25 to mail server @ DMZ Zone.
>
> I think I have added these rules properly. But, It does not work.
>
> I checked from outside world . I telneted to port 25 of first firewaal.
> Then, It should forward to mail server @ DMZ zone.
> But, no responce.
>
> WHY is that?
>
> YOUR IDEAS?
>
May it be a problem of SNAT?
I try to explain my guess:
FW1: firewall at 1.2.3.4
FW2: firewall at 2.3.4.5
SRV: mail server at 192.168.100.3
I telnet FW1 on port 25 from a PC with ip address 4.5.6.7.
FW1 forwards the connection to FW2.
FW2 forwards the connection to SRV.
SRV now receive packets from 4.5.6.7 and sends packets back to that address.
I think that the connection shall fail if those packets on their way to
4.5.6.7 get 'snat-ted' to an address different from 1.2.3.4.
Apologies for my poor English !
> --
> Thank you
> Indunil Jayasooriya
You're welcome
Riccardo Penco
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2007-09-25 8:54 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
2007-09-25 7:50 ` Aleksander Kamenik
2007-09-25 8:35 ` Indunil Jayasooriya
2007-09-25 8:44 ` Aleksander Kamenik
2007-09-25 8:54 ` Riccardo (SCASI) [this message]
2007-09-25 9:18 ` Indunil Jayasooriya
2007-09-25 9:48 ` Aleksander Kamenik
2007-09-25 10:12 ` Indunil Jayasooriya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46F8CCD5.2080406@scasinet.com \
--to=r.penco@scasinet.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.