Mark
asked on
iptables, possible circular reference on port forward
I've set up iptables on my Linux router to forward ports to various hosts on a LAN subnet. All works well, except I appear to have forwarded port 25 back to the wrong place.
What I want is for Internet connections to the router on port 10025 to be forwarded to its local port 25.
I want Internet connections to the router on port 25 (actual mail) to be forwarded to IP 192.168.1.101, port 25. In iptables I have:
iptables -t nat -A PREROUTING -p tcp --dport 10025 -j REDIRECT --to-port 25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25
However, I get the following:
$ telnet mydomain.com 10025
Trying 64.129.xx.xx...
Connected to mydomain.com.
Escape character is '^]'.
220 router.mydomain.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 7 Oct 2013 01:50:53 -0400
$ telnet mydomain.com 25
Trying 64.129.xx.xx...
Connected to mydomain.com.
Escape character is '^]'.
220 router.mydomain.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 7 Oct 2013 01:51:28 -0400
The 2nd telnet should have connected to host csscanweb1.mydomain.com, not router.mydomain.com
If, when logged onto router I telnet 192.168.1.101 25, I do get "220 cscanweb1".
Somehow, both port 10025 and 25 both route to the Linux router host from the Internet. What did I do wrong?
What I want is for Internet connections to the router on port 10025 to be forwarded to its local port 25.
I want Internet connections to the router on port 25 (actual mail) to be forwarded to IP 192.168.1.101, port 25. In iptables I have:
iptables -t nat -A PREROUTING -p tcp --dport 10025 -j REDIRECT --to-port 25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25
However, I get the following:
$ telnet mydomain.com 10025
Trying 64.129.xx.xx...
Connected to mydomain.com.
Escape character is '^]'.
220 router.mydomain.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 7 Oct 2013 01:50:53 -0400
$ telnet mydomain.com 25
Trying 64.129.xx.xx...
Connected to mydomain.com.
Escape character is '^]'.
220 router.mydomain.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 7 Oct 2013 01:51:28 -0400
The 2nd telnet should have connected to host csscanweb1.mydomain.com, not router.mydomain.com
If, when logged onto router I telnet 192.168.1.101 25, I do get "220 cscanweb1".
Somehow, both port 10025 and 25 both route to the Linux router host from the Internet. What did I do wrong?
Oh, and if you wanted to add a rule that allows your internal traffic to reach your mail server, try this:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25
Basically that says: send all traffic from eth1 (your internal network, 192.168.1.0) on port 25 to 192.168.1.101:25
HTH,
Dan
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25
Basically that says: send all traffic from eth1 (your internal network, 192.168.1.0) on port 25 to 192.168.1.101:25
HTH,
Dan
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Make SMTP not open for public networks by blocking it with INPUT chain in iptables.
ASKER
DanCraciun: > it seems that you want to use 192.168.1.101 as your "regular" mail server on port 25 and your router as a hidden mail server on port 10025.
Exactly right!
My setting: iptables -t nat -A PREROUTING -p tcp --dport 10025 -j REDIRECT --to-port 25
worked if I placed it after the DNAT --to-destination entry. I suppose REDIRECT shouldn't be used in this case.
Your --to-destination solution worked and is not position dependent.
Thanks!
Exactly right!
My setting: iptables -t nat -A PREROUTING -p tcp --dport 10025 -j REDIRECT --to-port 25
worked if I placed it after the DNAT --to-destination entry. I suppose REDIRECT shouldn't be used in this case.
Your --to-destination solution worked and is not position dependent.
Thanks!
ASKER
Sandeep - I'll be posting a question about blocking ports soon. Stay tuned!
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT --to-destination 192.168.1.101:25 ?
HTH,
Dan