From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Riccardo (SCASI)" Date: Tue, 25 Sep 2007 08:54:45 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <46F8CCD5.2080406@scasinet.com> List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Indunil Jayasooriya ha scritto: > > Hi, > > I have an DNAT ISSUE with PREROUTING. > > This is my setup. > > I have 2 firewalls running iptables. > > Pls asume 1.2.3.4/29 is the internet interace of > FIRST firewall. > 2.3.4.5/29 is the internet interface of SECOND > firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ > 192.168.100.3 > > Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - > 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29 > ) of SECOND firewall. That firewal DNATs port 25 to > mail server @ 192.168.100.3 in DMZ zone. > > These are rules I have added. > > FIRST firewall (its internet ip address - 1.2.3.4/29 > ) I have addes below rule. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 > --dport 25 -j DNAT --to-destination 2.3.4.5:25 > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > have added 2 below rules. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > > > iptables -A FORWARD -p tcp -d 192.168.100.3 > --dport 25 -m state --state NEW -j ACCEPT > > Now, it should forward port 25 to mail server @ DMZ Zone. > > I think I have added these rules properly. But, It does not work. > > I checked from outside world . I telneted to port 25 of first firewaal. > Then, It should forward to mail server @ DMZ zone. > But, no responce. > > WHY is that? > > YOUR IDEAS? > May it be a problem of SNAT? I try to explain my guess: FW1: firewall at 1.2.3.4 FW2: firewall at 2.3.4.5 SRV: mail server at 192.168.100.3 I telnet FW1 on port 25 from a PC with ip address 4.5.6.7. FW1 forwards the connection to FW2. FW2 forwards the connection to SRV. SRV now receive packets from 4.5.6.7 and sends packets back to that address. I think that the connection shall fail if those packets on their way to 4.5.6.7 get 'snat-ted' to an address different from 1.2.3.4. Apologies for my poor English ! > -- > Thank you > Indunil Jayasooriya You're welcome Riccardo Penco _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc