Port forwarding (non-NAT)

Port forwarding (non-NAT)

[Kristofer]

I've googled and done some searches, and the only information I can find is for port forwarding with NAT. Perhaps that's what I need to accomplish what I am trying to do. If I missed an obvious link or source with this information, I apologize and please slap me. 

I currently have an SMTP server listening on port 25, and the machine has its own static IP address, no NAT is being used. 

I want to use iptables to forward inbound traffic on port 587 to port 25 of that same machine, so basically making SMTP listen on both ports. I do not wish to configure the SMTP software to listen on multiple ports, since I may want to open up several more ports in the future and that would be a lot of idle daemons listening on ports they may or may not use. 

So, my questions is: how can I have incoming traffic on port 587 go to port 25 of the localhost? 

Thanks, 
Kristofer 

Re: Port forwarding (non-NAT)

[Jon Wilson]

Kristofer wrote:
> I've googled and done some searches, and the only information I can find is for port forwarding with NAT. Perhaps that's what I need to accomplish what I am trying to do. If I missed an obvious link or source with this information, I apologize and please slap me. 
>
> I currently have an SMTP server listening on port 25, and the machine has its own static IP address, no NAT is being used. 
>
> I want to use iptables to forward inbound traffic on port 587 to port 25 of that same machine, so basically making SMTP listen on both ports. I do not wish to configure the SMTP software to listen on multiple ports, since I may want to open up several more ports in the future and that would be a lot of idle daemons listening on ports they may or may not use. 
>
> So, my questions is: how can I have incoming traffic on port 587 go to port 25 of the localhost? 
>
> Thanks, 
> Kristofer 
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>   
if iptables on the same computer as the smtp server:

iptables -t nat -A PREROUTING -p tcp --dport 587 -m state --state NEW -d 
$IP_OF_MAIL_SERVER -j REDIRECT --to-ports 25

else:

iptables -t nat -A PREROUTING -p tcp --dport 587 -m state --state NEW -d 
$IP_OF_MAIL_SERVER -j DNAT --to $IP_OF_MAIL_SERVER:25

(assuming you allow established, related through)
-- 
Jon Wilson

Re: Port forwarding (non-NAT)

[Pascal Hambourg]

Hello,

Jon Wilson a écrit :
> Kristofer wrote:
> 
>> I've googled and done some searches, and the only information I can 
>> find is for port forwarding with NAT. Perhaps that's what I need to 
>> accomplish what I am trying to do.
>> I currently have an SMTP server listening on port 25, and the machine 
>> has its own static IP address, no NAT is being used.
>> I want to use iptables to forward inbound traffic on port 587 to port 
>> 25 of that same machine, so basically making SMTP listen on both 
>> ports. I do not wish to configure the SMTP software to listen on 
>> multiple ports, since I may want to open up several more ports in the 
>> future and that would be a lot of idle daemons listening on ports they 
>> may or may not use.

Huh ? What is that SMTP software which requires tu run one separate 
daemon for each listening port ? If it can use inetd, you can have it 
listening on multiple ports even without a single idle daemon running 
(except inetd itself of course).

>> So, my questions is: how can I have incoming traffic on port 587 go to 
>> port 25 of the localhost?

Port forwarding is a form of destination NAT. It can also be done with a 
TCP relay such as 6tunnel, but the final destination sees only the relay 
address, not the original source address. Not very convenient for 
logging or access control.

> if iptables on the same computer as the smtp server:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 587 -m state --state NEW -d 
> $IP_OF_MAIL_SERVER -j REDIRECT --to-ports 25
> 
> else:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 587 -m state --state NEW -d 
> $IP_OF_MAIL_SERVER -j DNAT --to $IP_OF_MAIL_SERVER:25

Note that the second rule also works on the server itself.

Re: Port forwarding (non-NAT)

[Kristofer]

> Huh ? What is that SMTP software which requires tu run one separate 
> daemon for each listening port ? If it can use inetd, you can have it 
> listening on multiple ports even without a single idle daemon running 
> (except inetd itself of course). 

I mis-spoke. What I am using requires me to manually edit configuration files after every single upgrade (annoying), so I'd rather adjust the settings outside of the software (such as iptables) so I can simply have it remain listening on port 25 only and I do not have to edit configuration files to tell it to also listen on port 587. 


> Port forwarding is a form of destination NAT. It can also be done with a 
> TCP relay such as 6tunnel, but the final destination sees only the relay 
> address, not the original source address. Not very convenient for 
> logging or access control. 

I assumed that may be the case.  I'm coming out of a world of IPFW and trying to get a complete grasp on iptables.  It's getting more clear each day. :-)


> > if iptables on the same computer as the smtp server: 
> > 
> > iptables -t nat -A PREROUTING -p tcp --dport 587 -m state --state NEW -d 
> > $IP_OF_MAIL_SERVER -j REDIRECT --to-ports 25 
> > 
> > else: 
> > 
> > iptables -t nat -A PREROUTING -p tcp --dport 587 -m state --state NEW -d 
> > $IP_OF_MAIL_SERVER -j DNAT --to $IP_OF_MAIL_SERVER:25 
> 
> Note that the second rule also works on the server itself. 

I went with the first rule, and it is working thus far.

Thanks!

Kristofer