How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall?

How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall?

[Greg Cope]

Hi all,

I have an iptables firewall that has 3 ethernet cards,
eth0(Red/internet) , eth1 (DMZ), eth2 (lan)

eth0 has a few alias;

eth0 (217.154.55.249) gateway
eth0:1 (217.154.55.250) for the mail server - an A record for mail.e-dba.net
eth0:2 (217.154.55.253) for a webserver
eth0:3 (217.154.55.245) another alias for a host on the DMZ

When sending trafic from this firewall host or any host behind it the
trafic leaves from eth0 (217.154.55.249).

The firewalls default gateway router is an ADLS ethernet modem on 217.154.55.241

However mail (SMTP) trafic goes in via 217.154.55.250, and I would
like it to go out via 217.154.55.250 as this has the correct
(mail.e-dba.net) PTR records.

I have tried within my iptables script:

SMTP_MARK=2
echo 25 smtp.out >> /etc/iproute2/rt_tables
IPROUTE2_SMTP_TABLE="smtp.out"
INET_IFACE="eth0"
MAIL_INET_ALIAS="217.154.55.250"1"

$IPTABLES -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 -j MARK
--set-mark ${SMTP_MASK}
ip rule add fwmark $SMTP_MARK table $IPROUTE2_SMTP_TABLE

- All good so far

But the following seem to do the wrong thing.....

ip route add table $IPROUTE2_SMTP_TABLE dev $INET_IFACE src $MAIL_INET_ALIAS
ip route add table $IPROUTE2_SMTP_TABLE default via $INET_IP

What am I doing wrong.

If anyone knows of any howtos/tutorials to RTFM then please let me know.

Thanks

Greg

Re: How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall?

[Jason Opperisano]

On Thu, May 05, 2005 at 05:31:54PM +0100, Greg Cope wrote:
> Hi all,
> 
> I have an iptables firewall that has 3 ethernet cards,
> eth0(Red/internet) , eth1 (DMZ), eth2 (lan)
> 
> eth0 has a few alias;
> 
> eth0 (217.154.55.249) gateway
> eth0:1 (217.154.55.250) for the mail server - an A record for mail.e-dba.net
> eth0:2 (217.154.55.253) for a webserver
> eth0:3 (217.154.55.245) another alias for a host on the DMZ
> 
> When sending trafic from this firewall host or any host behind it the
> trafic leaves from eth0 (217.154.55.249).
> 
> The firewalls default gateway router is an ADLS ethernet modem on 217.154.55.241
> 
> However mail (SMTP) trafic goes in via 217.154.55.250, and I would
> like it to go out via 217.154.55.250 as this has the correct
> (mail.e-dba.net) PTR records.

<--snip crazy routing stuff-->

sounds like you want 1-to-1 NAT for the mail server, which takes 2 NAT
rules (one for connections initiated *to* the mailserver, and one for
connections initiated *from* the mailserver):

  iptables -t nat -A PREROUTING -i eth0 -d 217.154.55.250 \
    -j DNAT --to-destination $MAILSRV_PRIV_IP

  iptables -t nat -A POSTROUTING -o eth0 -s $MAILSRV_PRIV_IP \
    -j SNAT --to-source 217.154.55.250

sounds like you already have the 1st rule in place.  make sure the 2nd
rule comes *before* any outbound SNAT/MASQ rule that is less specific.

-j

--
"Dennis Miller: I don't want to go on a rant, here, but America's
 foreign policy makes about as much sense as Beowulf having sex
 with Robert Fulton at the first battle of Antietam. I mean when
 a neo-conservative defenestrates it's like Raskolnikov filibuster
 deoxymonohydroxinate...
 Peter: What the hell does rant mean?"
        --Family Guy

Re: How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall?

[Greg Cope]

On 5/5/05, Jason Opperisano <opie@817west.com> wrote:
> <--snip crazy routing stuff-->
> 
> sounds like you want 1-to-1 NAT for the mail server, which takes 2 NAT
> rules (one for connections initiated *to* the mailserver, and one for
> connections initiated *from* the mailserver):
> 
>   iptables -t nat -A PREROUTING -i eth0 -d 217.154.55.250 \
>     -j DNAT --to-destination $MAILSRV_PRIV_IP

That I have working fine.

> 
>   iptables -t nat -A POSTROUTING -o eth0 -s $MAILSRV_PRIV_IP \
>     -j SNAT --to-source 217.154.55.250

Ah - tried this:

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.254.2 -p tcp --dport
25 -j SNAT --to-source 217.154.55.250

Or variants there off.

No Joy...

I could scream......

Anyone any ideas

Greg

mail.e-dba.net = 192.168.254.3 the DMZ / private address
$  iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             mail.e-dba.net      tcp
dpt:smtp to:192.168.254.2

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.0.0/16       anywhere            
SNAT       tcp  --  mail.e-dba.net       anywhere            to:217.154.55.250 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

> 
> sounds like you already have the 1st rule in place.  make sure the 2nd
> rule comes *before* any outbound SNAT/MASQ rule that is less specific.
> 
> -j

Re: How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall?

[Jason Opperisano]

On Fri, May 06, 2005 at 03:36:04PM +0100, Greg Cope wrote:
> Ah - tried this:
> 
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.254.2 -p tcp --dport
> 25 -j SNAT --to-source 217.154.55.250

looks good.

> Or variants there off.
> 
> No Joy...

not even...bill joy?

> I could scream......

mmm...ice cream...

> Anyone any ideas

yeah.

> Greg
> 
> mail.e-dba.net = 192.168.254.3 the DMZ / private address
> $  iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination         
> DNAT       tcp  --  anywhere             mail.e-dba.net      tcp
> dpt:smtp to:192.168.254.2
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination         
> MASQUERADE  all  --  192.168.0.0/16       anywhere            
> SNAT       tcp  --  mail.e-dba.net       anywhere            to:217.154.55.250 
remember the part where i said, "make sure the 2nd rule comes *before*
any outbound SNAT/MASQ rule that is less specific"...i do--man, those
were good times.

anyways, since you match all 192.168.0.0/16 traffic with the MASQ rule,
the SNAT rule for 192.168.254.3 will never be matched.

translation:  put the dang SNAT rule for the mail server first.

-j

--
"Lois: I'll be just like Hillary Clinton, only you know, without the
 penis."
        --Family Guy

Re: How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall - NOW solved

[Greg Cope]

> not even...bill joy?

Hum...

> remember the part where i said, "make sure the 2nd rule comes *before*
> any outbound SNAT/MASQ rule that is less specific"...i do--man, those
> were good times.
> anyways, since you match all 192.168.0.0/16 traffic with the MASQ rule,
> the SNAT rule for 192.168.254.3 will never be matched.
> 
> translation:  put the dang SNAT rule for the mail server first.
> 

Ah - thanks - I am SURE I tried that.....

Anyway this now works with:

$IPTABLES -t nat -A POSTROUTING -o ${INET_IFACE} -s $DMZ_MAIL_IP -p
tcp --dport 25 -j SNAT --to-source $MAIL_INET_ALIAS

Many, many, many thanks.

Greg

> -j
> 
> --
> "Lois: I'll be just like Hillary Clinton, only you know, without the
>  penis."
>         --Family Guy
> 
>