* tcp packets on 25 port FORWARDING
@ 2004-03-12 9:46 Stanislav Puffler DiS.
2004-03-12 9:57 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: Stanislav Puffler DiS. @ 2004-03-12 9:46 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 735 bytes --]
Hi there,
I need to forward all tcp packets with port 25 (SMTP) from Internet to
machine in my network. My settings (eth0 = internet IP, eth1 = 192.168.200.1
- dmz IP connected to another machine with Postfix, eth2 = 192.168.0.1 -
gateway - LAN). Have opened port 25 and setup rule :
iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to
192.168.200.2:85
iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state
-state NEW,ESTABLISHED,RELATED -j ACCEPT
But it still doesn´t route tcp packets on port 25 to my Postfix computer :o(
If I try telnet 192.168.200.2 25 from FW it works, if I try this from
Internet, it doesn´t work :o( Any ideas ? Thanks a lot.
Stan.
[-- Attachment #2: Type: text/html, Size: 3064 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp packets on 25 port FORWARDING
2004-03-12 9:46 Stanislav Puffler DiS.
@ 2004-03-12 9:57 ` Antony Stone
2004-03-12 10:47 ` Stanislav Puffler DiS.
0 siblings, 1 reply; 5+ messages in thread
From: Antony Stone @ 2004-03-12 9:57 UTC (permalink / raw)
To: netfilter
On Friday 12 March 2004 9:46 am, Stanislav Puffler DiS. wrote:
> Hi there,
>
> I need to forward all tcp packets with port 25 (SMTP) from Internet to
> machine in my network. My settings (eth0 = internet IP, eth1 =
> 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 =
> 192.168.0.1 - gateway - LAN). Have opened port 25 and setup rule :
>
> iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to
> 192.168.200.2:85
That should be "--dport", not "-dport", and why are you changing the
destination port number to 85? Is Postfix listening on port 25?
> iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state
> -state NEW,ESTABLISHED,RELATED -j ACCEPT
That should also read "--dport", not "-dport", also "--state", not "-state".
If you have typed out your rules in this email and made some mistakes, then
please *cut and paste* your ruleset so we really know what is running.
Regards,
Antony.
--
Ramdisk is not an installation procedure.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp packets on 25 port FORWARDING
@ 2004-03-12 10:03 peter.gehle
2004-03-12 10:21 ` Antony Stone
0 siblings, 1 reply; 5+ messages in thread
From: peter.gehle @ 2004-03-12 10:03 UTC (permalink / raw)
To: netfilter
Try this:
LAN_IP=$(ifconfig eth1 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)
ipatbles -t nat -A PREROUTING -i *EXT-NIC* -p tcp --dport 25 -j DNAT --to_destination *POSTFIX-IP*
iptables -t nat -A POSTROUTING -o *INT-NIC* -p tcp --dport 25 -j SNAT --to-source $LAN_IP
iptables -A FORWARD -i *EXT-NIC* -m state --state NEW -p tcp -d *POSTFIX-IP* --dport 25 -j ACCEPT
EXT-NIC = your external Network Interface (eth0, eth1...)
INT-NIC = your internal Network Interface (eth1, eth2...) where your Postfix Server is connected to
POSTFIX-IP = The IP of your Postfix Server
That should work.
Mit freundlichen Grufl / Best regards / Meilleures
salutation / Met vriendelijke groet
Peter Gehle
Systemberatung Gehle GmbH
Im Bahler Grund 5
D-49413 Dinklage
Germany
Phone : +49 4443 9796-12
Fax : +49 4443 9796-29
www.sbgit.com
Original Message processed by Tobit InfoCenter
Subject: tcp packets on 25 port FORWARDING (12-Mrz-2004 10:50)
From: stanislav.puffler@seznam.cz
To: peter.gehle@sbgit.com
Hi there,
I need to forward all tcp packets with port 25 (SMTP) from Internet to machine in my network. My settings (eth0 = internet IP, eth1 = 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 = 192.168.0.1 - gateway - LAN). Have opened port 25 and setup rule :
iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to 192.168.200.2:85
iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state -state NEW,ESTABLISHED,RELATED -j ACCEPT
But it still doesn't route tcp packets on port 25 to my Postfix computer :o( If I try telnet 192.168.200.2 25 from FW it works, if I try this from Internet, it doesn't work :o( Any ideas ? Thanks a lot.
Stan.
To: stanislav.puffler@seznam.cz
Cc: netfilter@lists.netfilter.org
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: tcp packets on 25 port FORWARDING
2004-03-12 10:03 tcp packets on 25 port FORWARDING peter.gehle
@ 2004-03-12 10:21 ` Antony Stone
0 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-03-12 10:21 UTC (permalink / raw)
To: netfilter
On Friday 12 March 2004 10:03 am, peter.gehle@sbgit.com wrote:
> Try this:
>
> LAN_IP=$(ifconfig eth1|head -n 2|tail -n 1|cut -d: -f2|cut -d" " -f1)
A simpler version is `ifconfig eth1|grep inet|tr -s ': ' '\t'|cut -f4`
> iptables -t nat -A PREROUTING -i *EXT-NIC* -p tcp --dport 25 -j DNAT
> --to_destination *POSTFIX-IP*
> iptables -t nat -A POSTROUTING -o *INT-NIC* -p tcp --dport 25 -j SNAT
> --to-source $LAN_IP
Why include this rule? It will make all email received by the Postfix
machine appear to come from the Firewall, not the real IP address of the
sending server. This will make anti-spam measures more difficult / less
effective.
> iptables -A FORWARD -i *EXT-NIC* -m state --state NEW -p tcp -d *POSTFIX-IP*
> --dport 25 -j ACCEPT
What about NEW packets from inside to outside (eg delivering mail to the
Internet?)
Also don't forget that a mail server is likely to want to do things like DNS
lookups.
Regards,
Antony.
--
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work
for you.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: tcp packets on 25 port FORWARDING
2004-03-12 9:57 ` Antony Stone
@ 2004-03-12 10:47 ` Stanislav Puffler DiS.
0 siblings, 0 replies; 5+ messages in thread
From: Stanislav Puffler DiS. @ 2004-03-12 10:47 UTC (permalink / raw)
To: netfilter
My mistake, have this written with --dport and --state. But still doesn´t
work. Here are my rulesets for table nat :
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
to:192.168.200.2:25
REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir
ports 3128
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And for filtering :
Chain INPUT (policy DROP)
target prot opt source destination
tcp_segmenty tcp -- 0.0.0.0/0 0.0.0.0/0
udp_pakety udp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
reject-with icmp-port-unreachable
spoofing all -- 0.0.0.0/0 0.0.0.0/0
syn_flood tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x16/0x02
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
limit: avg 1/sec burst 5
ACCEPT all -- 80.95.96.7 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.200.2 tcp dpt:25 state
NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
spoofing all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 127.0.0.1 0.0.0.0/0
ACCEPT all -- 192.168.0.1 0.0.0.0/0
ACCEPT all -- 192.168.200.1 0.0.0.0/0
ACCEPT all -- 82.142.67.253 0.0.0.0/0
Chain spoofing (2 references)
target prot opt source destination
DROP all -- 192.168.0.0/16 0.0.0.0/0
DROP all -- 172.16.0.0/12 0.0.0.0/0
DROP all -- 10.0.0.0/8 0.0.0.0/0
Chain syn_flood (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec
burst 5
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain tcp_segmenty (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain udp_pakety (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
Will try the help from Peter Gehle also, if it will run. Thanks...
Stan
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Friday, March 12, 2004 10:57 AM
To: netfilter@lists.netfilter.org
Subject: Re: tcp packets on 25 port FORWARDING
On Friday 12 March 2004 9:46 am, Stanislav Puffler DiS. wrote:
> Hi there,
>
> I need to forward all tcp packets with port 25 (SMTP) from Internet to
> machine in my network. My settings (eth0 = internet IP, eth1 =
> 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 =
> 192.168.0.1 - gateway - LAN). Have opened port 25 and setup rule :
>
> iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to
> 192.168.200.2:85
That should be "--dport", not "-dport", and why are you changing the
destination port number to 85? Is Postfix listening on port 25?
> iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state
> -state NEW,ESTABLISHED,RELATED -j ACCEPT
That should also read "--dport", not "-dport", also "--state", not "-state".
If you have typed out your rules in this email and made some mistakes, then
please *cut and paste* your ruleset so we really know what is running.
Regards,
Antony.
--
Ramdisk is not an installation procedure.
Please reply to the
list;
please don't CC
me.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-03-12 10:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-12 10:03 tcp packets on 25 port FORWARDING peter.gehle
2004-03-12 10:21 ` Antony Stone
-- strict thread matches above, loose matches on Subject: below --
2004-03-12 9:46 Stanislav Puffler DiS.
2004-03-12 9:57 ` Antony Stone
2004-03-12 10:47 ` Stanislav Puffler DiS.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.