Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 823
  • Last Modified:

NAT problem with IPTABLES

Hi all.
I'm a newbe...
I'm having a problem with my iptables script.
I have no trouble surfing the internet from my internal network (192.168.45.xxx),
but I can not connect my SMTP server 192.168.45.1 from the external network, although I try to NAT him as xxx.yyy.zzz.103.

The external IP address of the FW is xxx.yyy.zzz.101
The internal IP address of the FW is 192.168.45.254
The external IP address of the SMTP SHOULD BE xxx.yyy.zzz.103

Could someone tell me why ?

#!/bin/sh
#

###########################################################################
#
# 1. Configuration options.
#

###########################################################################
#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="192.168.45.254"
LAN_IP_RANGE="192.168.45.0"
LAN_BCAST_ADRESS="192.168.45.255"
LAN_IFACE="eth1"

###########################################################################
#
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################
#
# Internet Configuration.
#

INET_IP="xxx.yyy.zzz.101"
INET_IFACE="eth0"

###########################################################################
#
# IPTables Configuration.
#

IPTABLES="/sbin/iptables"

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc


###########################################################################
#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. IPTables rules set up.
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains.
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.45.0 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
$IPTABLES -t nat -A PREROUTING -p tcp -d xxx.yyy.zzz.103 --dport smtp -j DNAT --to 192.168.45.1:25

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "


0
livni
Asked:
livni
1 Solution
 
ahoffmannCommented:
iptables -A FORWARD -p tcp -d 192.168.45.1 --dport 25 -j ACCEPT
# or add an appropriate rule to one of your private chaines
0
 
SofoxCommented:
Check following settings:

1) on machine 192.168.45.254,
  echo 1 > /proc/sys/net/ipv4/ip_forward
  to enable ip forward
2) on machine 192.168.45.254, ensure following lines are in your firewall script
  iptables -A FORWARD -p tcp -d 192.168.45.1 --dport 25 -j ACCEPT
  iptables -A FORWARD -p tcp -s 192.168.45.1 --sport 25 -j ACCEPT
  iptables -t nat -A PREROUTING -p tcp -d xxx.yyy.zzz.101 --dport 25 -j DNAT --to-destination 192.168.45.1:25
3) on machine 192.168.45.1, make sure default route is via 192.168.45.254

That's all
0
 
jack38Commented:
I had the same problem ....

I agreed with Sofox's anwser.
But, I had 2 mail servers ....
So I need to use another IP for the sencond mail server.

Besides, I tried with iptables 1.2.5 with "ip_range" SNAT
and I could not do it successfully.

ex:
    eth0 (INET_IF) : 1.2.3.1 (1.2.3.0/25)
    eth1 (LAN_IF) :  192.168.0.1 (192.168.0.0/23 : I had
                     2 class C in subnet )
 
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/23 \
-j SNAT --to-source 1.2.3.10-1.2.3.20

iptables -t nat -A PREROUTING -o eth0 -p tcp -d 1.2.3.2 \
--dport 25 -j DNAT --to-destination 192.168.1.1:25

I don't know if routed helps or not ....

Anyone could help ?


     
0
 
SpideyModCommented:
All,
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

SpideyMod
Community Support Moderator @Experts Exchange
0
 
SpideyModCommented:
PAQ'd

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now