* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
@ 2007-09-25 7:50 ` Aleksander Kamenik
2007-09-25 8:35 ` Indunil Jayasooriya
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Aleksander Kamenik @ 2007-09-25 7:50 UTC (permalink / raw)
To: lartc
Indunil Jayasooriya wrote:
> FIRST firewall (its internet ip address - 1.2.3.4/29
> <http://1.2.3.4/29>) I have addes below rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I
> have added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
> --dport 25 -j DNAT --to-destination 192.168.100.3:25
> <http://192.168.100.3:25>
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 25 -m state --state NEW -j ACCEPT
First run tcpdump* or the like on the smtp box to see that incoming
packets arrive. If they don't, see if they arrive on 2.3.4.5 etc.
If they arrive at the destination see how much they go back (tcpdump on
the firewall boxes).
Btw, assuming both of your firewall boxes have similar iptables
rulesets, shouldn't the first one also have a -t filter -A FORWARD ...
-j ACCEPT rule? Make sure you also have the ESTABLISHED,RELATED -j
ACCEPT rules.
And have you made sure that the smtp box accepts connections from
anywhere? Is your MTA listening on the external interface?
* - tcpdump -i eth0 port 25
Regards,
--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@krediidiinfo.ee
Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
2007-09-25 7:50 ` Aleksander Kamenik
@ 2007-09-25 8:35 ` Indunil Jayasooriya
2007-09-25 8:44 ` Aleksander Kamenik
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Indunil Jayasooriya @ 2007-09-25 8:35 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 2288 bytes --]
On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:
>
> Indunil Jayasooriya wrote:
> > FIRST firewall (its internet ip address - 1.2.3.4/29
> > <http://1.2.3.4/29>) I have addes below rule.
> >
> > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
> > --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
> >
> > That should forward port 25 to SECOND firewall. in SECOND firewall, I
> > have added 2 below rules.
> >
> > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
> > --dport 25 -j DNAT --to-destination 192.168.100.3:25
> > <http://192.168.100.3:25>
> >
> > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> > --dport 25 -m state --state NEW -j ACCEPT
>
> First run tcpdump* or the like on the smtp box to see that incoming
> packets arrive. If they don't, see if they arrive on 2.3.4.5 etc.
>
> If they arrive at the destination see how much they go back (tcpdump on
> the firewall boxes).
>
> Btw, assuming both of your firewall boxes have similar iptables
> rulesets, shouldn't the first one also have a -t filter -A FORWARD ...
> -j ACCEPT rule?
No filter rule has been speciied.
Make sure you also have the ESTABLISHED,RELATED -j
> ACCEPT rules. I have not added it to prerouting chain. I added just now.
> Forward, input and output chains have it.
And have you made sure that the smtp box accepts connections from
> anywhere? it is behing my second firewall. it is @ DMZ ZONE.
>
YES, It accpets connections from any where. Let's say, If I telnet to port
25 as bellow,
telnet 2.3.4.5 25
it accepts, It works.
Now what I need is that I want to telnet to first firewall, then, it will
forward to second firewall, second firewall will forward to actual mail
server.
Is your MTA listening on the external interface?
eth0 is the internet ip of firewall. eth1 is connected to mail server.
>
> * - tcpdump -i eth0 port 25
>
> Regards,
>
> --
> Aleksander Kamenik
> system administrator
> +372 6659 649
> aleksander@krediidiinfo.ee
>
> Krediidiinfo AS
> http://www.krediidiinfo.ee/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
--
Thank you
Indunil Jayasooriya
[-- Attachment #1.2: Type: text/html, Size: 3941 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
2007-09-25 7:50 ` Aleksander Kamenik
2007-09-25 8:35 ` Indunil Jayasooriya
@ 2007-09-25 8:44 ` Aleksander Kamenik
2007-09-25 8:54 ` Riccardo (SCASI)
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Aleksander Kamenik @ 2007-09-25 8:44 UTC (permalink / raw)
To: lartc
Indunil Jayasooriya wrote:
>
> I have not added it to prerouting chain. I added just
> now. Forward, input and output chains have it.
PREROUTING must not have it. Only the three filter chains and only if
you use the state machine.
> telnet 2.3.4.5 <http://2.3.4.5> 25
>
> it accepts, It works.
>
OK, so DNAT at the second firewall works already. I missed that.
> Now what I need is that I want to telnet to first firewall, then, it
> will forward to second firewall, second firewall will forward to actual
> mail server.
Yes I got that.
Anyway, it's hard to guess without seeing all the rules of the first
firewall. Do any other DNAT's at the first firewall work already?
Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1".
Oh, and by the way. I assumed your routing is in place. Is the the
second firewalls default route (gateway) the first firewall?
You can look at it with "ip route list | grep default".
If 1.2.3.4 and 2.3.4.5 are both external IP's then it's probably the
problem.
--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@krediidiinfo.ee
Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
` (2 preceding siblings ...)
2007-09-25 8:44 ` Aleksander Kamenik
@ 2007-09-25 8:54 ` Riccardo (SCASI)
2007-09-25 9:18 ` Indunil Jayasooriya
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Riccardo (SCASI) @ 2007-09-25 8:54 UTC (permalink / raw)
To: lartc
Indunil Jayasooriya ha scritto:
>
> Hi,
>
> I have an DNAT ISSUE with PREROUTING.
>
> This is my setup.
>
> I have 2 firewalls running iptables.
>
> Pls asume 1.2.3.4/29 is the internet interace of
> FIRST firewall.
> 2.3.4.5/29 is the internet interface of SECOND
> firewall. it has DMZ zone. in that DMZ zone, mail server runnig @
> 192.168.100.3
>
> Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address -
> 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29
> ) of SECOND firewall. That firewal DNATs port 25 to
> mail server @ 192.168.100.3 in DMZ zone.
>
> These are rules I have added.
>
> FIRST firewall (its internet ip address - 1.2.3.4/29
> ) I have addes below rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I
> have added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
> --dport 25 -j DNAT --to-destination 192.168.100.3:25
> <http://192.168.100.3:25>
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
> --dport 25 -m state --state NEW -j ACCEPT
>
> Now, it should forward port 25 to mail server @ DMZ Zone.
>
> I think I have added these rules properly. But, It does not work.
>
> I checked from outside world . I telneted to port 25 of first firewaal.
> Then, It should forward to mail server @ DMZ zone.
> But, no responce.
>
> WHY is that?
>
> YOUR IDEAS?
>
May it be a problem of SNAT?
I try to explain my guess:
FW1: firewall at 1.2.3.4
FW2: firewall at 2.3.4.5
SRV: mail server at 192.168.100.3
I telnet FW1 on port 25 from a PC with ip address 4.5.6.7.
FW1 forwards the connection to FW2.
FW2 forwards the connection to SRV.
SRV now receive packets from 4.5.6.7 and sends packets back to that address.
I think that the connection shall fail if those packets on their way to
4.5.6.7 get 'snat-ted' to an address different from 1.2.3.4.
Apologies for my poor English !
> --
> Thank you
> Indunil Jayasooriya
You're welcome
Riccardo Penco
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
` (3 preceding siblings ...)
2007-09-25 8:54 ` Riccardo (SCASI)
@ 2007-09-25 9:18 ` Indunil Jayasooriya
2007-09-25 9:48 ` Aleksander Kamenik
2007-09-25 10:12 ` Indunil Jayasooriya
6 siblings, 0 replies; 8+ messages in thread
From: Indunil Jayasooriya @ 2007-09-25 9:18 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 1505 bytes --]
On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:
>
> Indunil Jayasooriya wrote:
> >
> > I have not added it to prerouting chain. I added just
> > now. Forward, input and output chains have it.
>
> PREROUTING must not have it. Only the three filter chains and only if
> you use the state machine.
NOTED
> telnet 2.3.4.5 <http://2.3.4.5> 25
> >
> > it accepts, It works.
> >
>
> OK, so DNAT at the second firewall works already. I missed that.
>
> > Now what I need is that I want to telnet to first firewall, then, it
> > will forward to second firewall, second firewall will forward to actual
> > mail server.
>
> Yes I got that.
>
> Anyway, it's hard to guess without seeing all the rules of the first
> firewall. Do any other DNAT's at the first firewall work already?
>
> Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1".
>
> YES
>
> Oh, and by the way. I assumed your routing is in place. Is the the
> second firewalls default route (gateway) the first firewall?
> Oh yeah, This is the POINT.
>
SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
BOTH firewall's default route (gateway) is the router given by our ISP.
I think this is the case.
>
>
> If 1.2.3.4 and 2.3.4.5 are both external IP's then it's probably the
> problem.
YES, this is the ip block given by our ISP. I got 8 internet ips. But they
all recide is the same subnet that is 255.255.255.248
Hope to hear from you.
--
Thank you
Indunil Jayasooriya
[-- Attachment #1.2: Type: text/html, Size: 2525 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
` (4 preceding siblings ...)
2007-09-25 9:18 ` Indunil Jayasooriya
@ 2007-09-25 9:48 ` Aleksander Kamenik
2007-09-25 10:12 ` Indunil Jayasooriya
6 siblings, 0 replies; 8+ messages in thread
From: Aleksander Kamenik @ 2007-09-25 9:48 UTC (permalink / raw)
To: lartc
Indunil Jayasooriya wrote:
> SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
> BOTH firewall's default route (gateway) is the router given by our ISP.
Ok, so you understand your problem now?
Assuming the packet arrives at 1.2.3.4 from random external ip (eg.
5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again
dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server
sends a reply to the original sender 5.5.5.5. It does that via it's
default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your
ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5.
But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.
And that's exactly what Riccardo said when I read his mail now.
The first problem though is that I'm not sure the dnat form 1.2.3.4 to
2.3.4.5 works, the packet would have to leave via the same interface it
came. Maybe this works, I've never tried that. Make sure packets arrive
on the smtp box with tcpdump.
As for the solution, one way would be to SNAT the connection at FW1, but
this wwould cause the smtp box to see as if all the incoming connections
are from 1.2.3.4 and not their real IP's (5.5.5.5).
Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd
have to mark the packets and then send them to the 2.3.4.5 fw via a
custom route. I'm not sure I could help you with that, never done any
advanced routing.
--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@krediidiinfo.ee
Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] DNAT PREROUTING issue with IPTABLES
2007-09-25 5:40 [LARTC] DNAT PREROUTING issue with IPTABLES Indunil Jayasooriya
` (5 preceding siblings ...)
2007-09-25 9:48 ` Aleksander Kamenik
@ 2007-09-25 10:12 ` Indunil Jayasooriya
6 siblings, 0 replies; 8+ messages in thread
From: Indunil Jayasooriya @ 2007-09-25 10:12 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 1997 bytes --]
On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:
>
> Indunil Jayasooriya wrote:
>
> > SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
> > BOTH firewall's default route (gateway) is the router given by our ISP.
>
> Ok, so you understand your problem now?
>
> Assuming the packet arrives at 1.2.3.4 from random external ip (eg.
> 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again
> dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server
> sends a reply to the original sender 5.5.5.5. It does that via it's
> default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your
> ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5.
>
> But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.
YES, I got it.
And that's exactly what Riccardo said when I read his mail now.
>
> The first problem though is that I'm not sure the dnat form 1.2.3.4 to
> 2.3.4.5 works, the packet would have to leave via the same interface it
> came. Maybe this works, I've never tried that. Make sure packets arrive
> on the smtp box with tcpdump.
>
> As for the solution, one way would be to SNAT the connection at FW1, but
> this wwould cause the smtp box to see as if all the incoming connections
> are from 1.2.3.4 and not their real IP's (5.5.5.5).
>
> Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd
> have to mark the packets and then send them to the 2.3.4.5 fw via a
> custom route. I'm not sure I could help you with that, never done any
> advanced routing.
Thanks for your exellent help given so far. I will try with advanced
routing.
it is plicy routing?
--
> Aleksander Kamenik
> system administrator
> +372 6659 649
> aleksander@krediidiinfo.ee
>
> Krediidiinfo AS
> http://www.krediidiinfo.ee/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
--
Thank you
Indunil Jayasooriya
[-- Attachment #1.2: Type: text/html, Size: 3469 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 8+ messages in thread