IPTABLES: NAT and FORWARD

Hi,


I am trying to setup a spam filter gateway. We have iptables firewall running on Linux box. Our firewall is connected to the public internet and ip addresses behind firewall are public too.

So I want to redirect email traffic to the spam filter gateway using iptables.
Currently I am using forward rules to forward rules to forward my traffic from eth0 to eth1

   e.g.
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 80  -j ACCEPT
    iptables -A FORWARD -p tcp -s 0/0 -d 0/0--dport 443 -j ACCEPT

However I assumed I will have to use NAT to redirect emails to the spam gateway.
 
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT
  iptables -t nat -P PREROUTING DROP
  iptables -t nat -P POSTROUTING DROP

  iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --dport 80  -j ACCEPT
  iptables -A FORWARD -p tcp -s 0/0 -d 0/0--dport 443 -j ACCEPT

  iptables -A PREROUTING -i eth0 -t nat -p tcp -s 0/0 -d <Public_ip_1> --dport 25 -j DNAT --to-destination <Public_ip_2>:25

1. Can I use forward chain rules and NAT the same time?
2. Do I need to load NAT modules in  /etc/sysconfig/iptables-config?
3. Can I redirect public ip to public ip address or I will have to map public to non-public?
4. What will happen if I do not change default policy for NAT?
5. How do list rules for NAT?
6. Do I need to assign ip address to eth0 (external interface) in order use nat?


I enabled NAT today and firewall went down.


Thanks,

Telman
LVL 1
telmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

telmanAuthor Commented:
iptables -A PREROUTING -i eth0 -t nat -p tcp -s 0/0 -d <Public_ip_1> --dport 25 -j DNAT --to-destination <Public_ip_2>:25


Public_ip_1 & Public_ip_2 are located behind firewall but they are public ip address.


Telman
ahoffmannCommented:
1. yes
2. yes, BUT I'd recommend to not use kernel modules for iptables, build all iptables modules static into your kernel
3. you can redirect whatever to whatever (as long as there'e no IP-conflict), SNAT and DNAT are your friends here
4. (don't know what you mean here)
5. iptables -L -n -t nat && iptables -L -n -t mangle
6. hmm, not shure here, simply test it
   AFAIK the kernel at least will not catch the packets destinied for forwarding (e.g. all those you want to NAT)

why would you not simply use MASQUERADING instead of [SD]NAT? makes things simpler ...
telmanAuthor Commented:
Hi  Ahoffmann,

I think I was confusing myself. Should not I assign public ip address to my external interface in order to use nat? Becouse <Public_ip_1> and <Public_ip_2> are behing firewall already. Basicly I was trying to  redirect traffic sent to <Public_ip_1> (which forwarded from eth0 to eht1)  to <Public_ip_2> (which forwarded from eth0 to eht1. I guess I was wrong right? or It is still posible? :)

How do I do this?
-----------------
2. yes, BUT I'd recommend to not use kernel modules for iptables, build all iptables modules static into your kernel
-----------------


Thanks,
Telman
ahoffmannCommented:
> Should not I assign public ip address to my external interface in order to use nat?
yes, you should assign an external IP (or det it via DHCP from your ISP)

> Basicly I was trying to  redirect traffic sent to <Public_ip_1> (which forwarded from eth0 to eht1)  to <Public_ip_2>
this is no problem, something like this (assuming eth0 with <Public_ip_1> and eth1 in the net segment of <Public_ip_2>):
iptables -t nat -A PREROUTING -i eth0 -p tcp  -j DNAT   --to <Public_ip_2>
iptables        -A INPUT      -i eth0 -p tcp  -j ACCEPT  -d  <Public_ip_2>
iptables        -A INPUT      -i eth1 -j ACCEPT
iptables        -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

2. ..  build all iptables modules static into your kernel
> How do I do this?
you need to rebuild your kernel.
go to the /usr/src/linux dir, start
  make menuconfig
and select Y instead of M for netfilter/iptables (and all its parts)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
telmanAuthor Commented:
Hi Ahoffmann,

Thanks!!! This make sence.

Telman
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.