From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Indunil Jayasooriya" Date: Tue, 25 Sep 2007 05:40:32 +0000 Subject: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============2062875993==" List-Id: To: lartc@vger.kernel.org --===============2062875993== Content-Type: multipart/alternative; boundary="----=_Part_58423_20428363.1190698112831" ------=_Part_58423_20428363.1190698112831 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hi, I have an DNAT ISSUE with PREROUTING. This is my setup. I have 2 firewalls running iptables. Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall. 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 192.168.100.3 Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall. That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone. These are rules I have added. FIRST firewall (its internet ip address - 1.2.3.4/29) I have addes below rule. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT --to-destination 2.3.4.5:25 That should forward port 25 to SECOND firewall. in SECOND firewall, I have added 2 below rules. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT --to-destination 192.168.100.3:25 iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW -j ACCEPT Now, it should forward port 25 to mail server @ DMZ Zone. I think I have added these rules properly. But, It does not work. I checked from outside world . I telneted to port 25 of first firewaal. Then, It should forward to mail server @ DMZ zone. But, no responce. WHY is that? YOUR IDEAS? -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya ------=_Part_58423_20428363.1190698112831 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Hi,

I have an DNAT ISSUE with PREROUTING.

This is my setup.

I have 2 firewalls running iptables.

Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall.
2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 192.168.100.3

Now I want to DNAT port 25 of FISRT firewall ( i.e  -  its ip address - 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall. That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone.

These are rules I have added.

FIRST firewall (its internet ip address - 1.2.3.4/29 ) I have addes below rule.

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT --to-destination 2.3.4.5:25

That should forward port 25 to SECOND firewall. in SECOND firewall, I have added 2 below rules.

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT --to-destination 192.168.100.3:25

iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW -j ACCEPT

Now, it should forward port 25  to  mail server  @  DMZ Zone.

I think I have added these rules properly. But, It does not work.

I checked from outside world . I telneted to port 25 of first firewaal. Then, It should forward to mail server @ DMZ zone.
But, no responce.

WHY is that?

YOUR IDEAS?






--
Thank you
Indunil Jayasooriya


--
Thank you
Indunil Jayasooriya
------=_Part_58423_20428363.1190698112831-- --===============2062875993== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============2062875993==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aleksander Kamenik Date: Tue, 25 Sep 2007 07:50:43 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <46F8BDD3.1080703@krediidiinfo.ee> List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Indunil Jayasooriya wrote: > FIRST firewall (its internet ip address - 1.2.3.4/29 > ) I have addes below rule. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 > --dport 25 -j DNAT --to-destination 2.3.4.5:25 > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > have added 2 below rules. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > > > iptables -A FORWARD -p tcp -d 192.168.100.3 > --dport 25 -m state --state NEW -j ACCEPT First run tcpdump* or the like on the smtp box to see that incoming packets arrive. If they don't, see if they arrive on 2.3.4.5 etc. If they arrive at the destination see how much they go back (tcpdump on the firewall boxes). Btw, assuming both of your firewall boxes have similar iptables rulesets, shouldn't the first one also have a -t filter -A FORWARD ... -j ACCEPT rule? Make sure you also have the ESTABLISHED,RELATED -j ACCEPT rules. And have you made sure that the smtp box accepts connections from anywhere? Is your MTA listening on the external interface? * - tcpdump -i eth0 port 25 Regards, -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Indunil Jayasooriya" Date: Tue, 25 Sep 2007 08:35:40 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <7ed6b0aa0709250123m1fec4331nb34f28dc8e2da1be@mail.gmail.com> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============1683718956==" List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> To: lartc@vger.kernel.org --===============1683718956== Content-Type: multipart/alternative; boundary="----=_Part_58779_31392988.1190708620764" ------=_Part_58779_31392988.1190708620764 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 9/25/07, Aleksander Kamenik wrote: > > Indunil Jayasooriya wrote: > > FIRST firewall (its internet ip address - 1.2.3.4/29 > > ) I have addes below rule. > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 > > --dport 25 -j DNAT --to-destination 2.3.4.5:25 > > > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > > have added 2 below rules. > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 > > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > > > > > > iptables -A FORWARD -p tcp -d 192.168.100.3 > > --dport 25 -m state --state NEW -j ACCEPT > > First run tcpdump* or the like on the smtp box to see that incoming > packets arrive. If they don't, see if they arrive on 2.3.4.5 etc. > > If they arrive at the destination see how much they go back (tcpdump on > the firewall boxes). > > Btw, assuming both of your firewall boxes have similar iptables > rulesets, shouldn't the first one also have a -t filter -A FORWARD ... > -j ACCEPT rule? No filter rule has been speciied. Make sure you also have the ESTABLISHED,RELATED -j > ACCEPT rules. I have not added it to prerouting chain. I added just now. > Forward, input and output chains have it. And have you made sure that the smtp box accepts connections from > anywhere? it is behing my second firewall. it is @ DMZ ZONE. > YES, It accpets connections from any where. Let's say, If I telnet to port 25 as bellow, telnet 2.3.4.5 25 it accepts, It works. Now what I need is that I want to telnet to first firewall, then, it will forward to second firewall, second firewall will forward to actual mail server. Is your MTA listening on the external interface? eth0 is the internet ip of firewall. eth1 is connected to mail server. > > * - tcpdump -i eth0 port 25 > > Regards, > > -- > Aleksander Kamenik > system administrator > +372 6659 649 > aleksander@krediidiinfo.ee > > Krediidiinfo AS > http://www.krediidiinfo.ee/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya ------=_Part_58779_31392988.1190708620764 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:
Indunil Jayasooriya wrote:
> FIRST firewall (its internet ip address - 1.2.3.4/29
> <http://1.2.3.4/29>) I have addes below rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I
> have added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
> --dport 25 -j DNAT --to-destination 192.168.100.3:25
> < http://192.168.100.3:25>
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 25 -m state --state NEW -j ACCEPT

First run tcpdump* or the like on the smtp box to see that incoming
packets arrive. If they don't, see if they arrive on 2.3.4.5 etc.

If they arrive at the destination see how much they go back (tcpdump on
the firewall boxes).

Btw, assuming both of your firewall boxes have similar iptables
rulesets, shouldn't the first one also have a -t filter -A FORWARD ...
-j ACCEPT rule?
No filter rule has been speciied.
 

Make sure you also have the ESTABLISHED,RELATED -j
ACCEPT rules. I have not added it to prerouting chain. I added just now. Forward, input and output  chains have it.

 
And have you made sure that the smtp box accepts connections from
anywhere? it is behing my second firewall. it is @ DMZ ZONE.
YES, It accpets connections from any where. Let's say, If I telnet to port 25 as bellow,

telnet 2.3.4.5 25

it accepts, It works.

Now what I need is that  I want to telnet to first firewall, then, it will forward to second firewall, second firewall will forward to actual mail server.


 Is your MTA listening on the external interface?

eth0 is the internet ip of firewall. eth1 is connected to mail server.

* - tcpdump -i eth0 port 25

Regards,

--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@krediidiinfo.ee

Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



--
Thank you
Indunil Jayasooriya
------=_Part_58779_31392988.1190708620764-- --===============1683718956== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============1683718956==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aleksander Kamenik Date: Tue, 25 Sep 2007 08:44:25 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <46F8CA69.70009@krediidiinfo.ee> List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Indunil Jayasooriya wrote: > > I have not added it to prerouting chain. I added just > now. Forward, input and output chains have it. PREROUTING must not have it. Only the three filter chains and only if you use the state machine. > telnet 2.3.4.5 25 > > it accepts, It works. > OK, so DNAT at the second firewall works already. I missed that. > Now what I need is that I want to telnet to first firewall, then, it > will forward to second firewall, second firewall will forward to actual > mail server. Yes I got that. Anyway, it's hard to guess without seeing all the rules of the first firewall. Do any other DNAT's at the first firewall work already? Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1". Oh, and by the way. I assumed your routing is in place. Is the the second firewalls default route (gateway) the first firewall? You can look at it with "ip route list | grep default". If 1.2.3.4 and 2.3.4.5 are both external IP's then it's probably the problem. -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Riccardo (SCASI)" Date: Tue, 25 Sep 2007 08:54:45 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <46F8CCD5.2080406@scasinet.com> List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Indunil Jayasooriya ha scritto: > > Hi, > > I have an DNAT ISSUE with PREROUTING. > > This is my setup. > > I have 2 firewalls running iptables. > > Pls asume 1.2.3.4/29 is the internet interace of > FIRST firewall. > 2.3.4.5/29 is the internet interface of SECOND > firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ > 192.168.100.3 > > Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - > 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29 > ) of SECOND firewall. That firewal DNATs port 25 to > mail server @ 192.168.100.3 in DMZ zone. > > These are rules I have added. > > FIRST firewall (its internet ip address - 1.2.3.4/29 > ) I have addes below rule. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 > --dport 25 -j DNAT --to-destination 2.3.4.5:25 > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > have added 2 below rules. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > > > iptables -A FORWARD -p tcp -d 192.168.100.3 > --dport 25 -m state --state NEW -j ACCEPT > > Now, it should forward port 25 to mail server @ DMZ Zone. > > I think I have added these rules properly. But, It does not work. > > I checked from outside world . I telneted to port 25 of first firewaal. > Then, It should forward to mail server @ DMZ zone. > But, no responce. > > WHY is that? > > YOUR IDEAS? > May it be a problem of SNAT? I try to explain my guess: FW1: firewall at 1.2.3.4 FW2: firewall at 2.3.4.5 SRV: mail server at 192.168.100.3 I telnet FW1 on port 25 from a PC with ip address 4.5.6.7. FW1 forwards the connection to FW2. FW2 forwards the connection to SRV. SRV now receive packets from 4.5.6.7 and sends packets back to that address. I think that the connection shall fail if those packets on their way to 4.5.6.7 get 'snat-ted' to an address different from 1.2.3.4. Apologies for my poor English ! > -- > Thank you > Indunil Jayasooriya You're welcome Riccardo Penco _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Indunil Jayasooriya" Date: Tue, 25 Sep 2007 09:18:17 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <7ed6b0aa0709250206i67e011dl62447b3cfadc8225@mail.gmail.com> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============0019069919==" List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> To: lartc@vger.kernel.org --===============0019069919== Content-Type: multipart/alternative; boundary="----=_Part_58861_18472387.1190711177639" ------=_Part_58861_18472387.1190711177639 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 9/25/07, Aleksander Kamenik wrote: > > Indunil Jayasooriya wrote: > > > > I have not added it to prerouting chain. I added just > > now. Forward, input and output chains have it. > > PREROUTING must not have it. Only the three filter chains and only if > you use the state machine. NOTED > telnet 2.3.4.5 25 > > > > it accepts, It works. > > > > OK, so DNAT at the second firewall works already. I missed that. > > > Now what I need is that I want to telnet to first firewall, then, it > > will forward to second firewall, second firewall will forward to actual > > mail server. > > Yes I got that. > > Anyway, it's hard to guess without seeing all the rules of the first > firewall. Do any other DNAT's at the first firewall work already? > > Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1". > > YES > > Oh, and by the way. I assumed your routing is in place. Is the the > second firewalls default route (gateway) the first firewall? > Oh yeah, This is the POINT. > SECOND Firewall's default route (gateway) is NOT the FIRST firewall. BOTH firewall's default route (gateway) is the router given by our ISP. I think this is the case. > > > If 1.2.3.4 and 2.3.4.5 are both external IP's then it's probably the > problem. YES, this is the ip block given by our ISP. I got 8 internet ips. But they all recide is the same subnet that is 255.255.255.248 Hope to hear from you. -- Thank you Indunil Jayasooriya ------=_Part_58861_18472387.1190711177639 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:
Indunil Jayasooriya wrote:
>
>     I have not added it to prerouting chain. I added just
>     now. Forward, input and output  chains have it.

PREROUTING must not have it. Only the three filter chains and only if
you use the state machine.

NOTED

> telnet 2.3.4.5 <http://2.3.4.5> 25
>
> it accepts, It works.
>

OK, so DNAT at the second firewall works already. I missed that.

> Now what I need is that  I want to telnet to first firewall, then, it
> will forward to second firewall, second firewall will forward to actual
> mail server.

Yes I got that.

Anyway, it's hard to guess without seeing all the rules of the first
firewall. Do any other DNAT's at the first firewall work already?

Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1".

YES

Oh, and by the way. I assumed your routing is in place. Is the the
second firewalls default route (gateway) the first firewall?
Oh yeah, This is the POINT.
   SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
 BOTH firewall's default route (gateway) is the router given by our ISP.
I think this is the case.


If 1.2.3.4 and 2.3.4.5 are both external IP's then it's probably the
problem.
YES, this is the ip block given by our ISP. I got 8 internet ips.  But they all recide is the same subnet that is 255.255.255.248

 Hope to hear from you.




--
Thank you
Indunil Jayasooriya
------=_Part_58861_18472387.1190711177639-- --===============0019069919== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============0019069919==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Aleksander Kamenik Date: Tue, 25 Sep 2007 09:48:54 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <46F8D986.3020605@krediidiinfo.ee> List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Indunil Jayasooriya wrote: > SECOND Firewall's default route (gateway) is NOT the FIRST firewall. > BOTH firewall's default route (gateway) is the router given by our ISP. Ok, so you understand your problem now? Assuming the packet arrives at 1.2.3.4 from random external ip (eg. 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server sends a reply to the original sender 5.5.5.5. It does that via it's default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5. But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it. And that's exactly what Riccardo said when I read his mail now. The first problem though is that I'm not sure the dnat form 1.2.3.4 to 2.3.4.5 works, the packet would have to leave via the same interface it came. Maybe this works, I've never tried that. Make sure packets arrive on the smtp box with tcpdump. As for the solution, one way would be to SNAT the connection at FW1, but this wwould cause the smtp box to see as if all the incoming connections are from 1.2.3.4 and not their real IP's (5.5.5.5). Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd have to mark the packets and then send them to the 2.3.4.5 fw via a custom route. I'm not sure I could help you with that, never done any advanced routing. -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/ _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Indunil Jayasooriya" Date: Tue, 25 Sep 2007 10:12:20 +0000 Subject: Re: [LARTC] DNAT PREROUTING issue with IPTABLES Message-Id: <7ed6b0aa0709250300t6c21cf05r865d0c7cbbc5fcea@mail.gmail.com> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============0151020186==" List-Id: References: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> In-Reply-To: <7ed6b0aa0709242228u211036fdoa33ffa47519ecb2e@mail.gmail.com> To: lartc@vger.kernel.org --===============0151020186== Content-Type: multipart/alternative; boundary="----=_Part_24_8340398.1190714420236" ------=_Part_24_8340398.1190714420236 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline On 9/25/07, Aleksander Kamenik wrote: > > Indunil Jayasooriya wrote: > > > SECOND Firewall's default route (gateway) is NOT the FIRST firewall. > > BOTH firewall's default route (gateway) is the router given by our ISP. > > Ok, so you understand your problem now? > > Assuming the packet arrives at 1.2.3.4 from random external ip (eg. > 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again > dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server > sends a reply to the original sender 5.5.5.5. It does that via it's > default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your > ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5. > > But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it. YES, I got it. And that's exactly what Riccardo said when I read his mail now. > > The first problem though is that I'm not sure the dnat form 1.2.3.4 to > 2.3.4.5 works, the packet would have to leave via the same interface it > came. Maybe this works, I've never tried that. Make sure packets arrive > on the smtp box with tcpdump. > > As for the solution, one way would be to SNAT the connection at FW1, but > this wwould cause the smtp box to see as if all the incoming connections > are from 1.2.3.4 and not their real IP's (5.5.5.5). > > Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd > have to mark the packets and then send them to the 2.3.4.5 fw via a > custom route. I'm not sure I could help you with that, never done any > advanced routing. Thanks for your exellent help given so far. I will try with advanced routing. it is plicy routing? -- > Aleksander Kamenik > system administrator > +372 6659 649 > aleksander@krediidiinfo.ee > > Krediidiinfo AS > http://www.krediidiinfo.ee/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya ------=_Part_24_8340398.1190714420236 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline

On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:
Indunil Jayasooriya wrote:

>    SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
>  BOTH firewall's default route (gateway) is the router given by our ISP.

Ok, so you understand your problem now?

Assuming the packet arrives at 1.2.3.4 from random external ip (eg.
5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again
dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server
sends a reply to the original sender 5.5.5.5. It does that via it's
default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your
ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5.

But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.

YES, I got it.

And that's exactly what Riccardo said when I read his mail now.

The first problem though is that I'm not sure the dnat form 1.2.3.4 to
2.3.4.5 works, the packet would have to leave via the same interface it
came. Maybe this works, I've never tried that. Make sure packets arrive
on the smtp box with tcpdump.

As for the solution, one way would be to SNAT the connection at FW1, but
this wwould cause the smtp box to see as if all the incoming connections
are from 1.2.3.4 and not their real IP's (5.5.5.5).

Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd
have to mark the packets and then send them to the 2.3.4.5 fw via a
custom route. I'm not sure I could help you with that, never done any
advanced routing.
Thanks for your exellent help given so far. I will try with advanced routing.
it is plicy routing?

 

--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@krediidiinfo.ee

Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc



--
Thank you
Indunil Jayasooriya
------=_Part_24_8340398.1190714420236-- --===============0151020186== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============0151020186==--