?
Solved

IPTABLES - Forwarding

Posted on 2005-03-02
7
Medium Priority
?
1,397 Views
Last Modified: 2010-04-22
Hope I am in the right area?  I am attempting to route or relay or forward packets from my email server to a email filtering server.  Currently, I have a Red Hat ES with two NIC's acting as my email server.  The first NIC, "LAN_INTERFACE" is connected to my my LAN.  The second NIC, "EXT_INTERFACE" is connected to the Internet.  At this point, all is well, email comes in via the "EXT_INTERFACE" and gets forwarded to the LAN side via the "LAN_INTERFACE".  I also have iptables running on this system.  Listed below is a portion of my firewall script which was copied and slightly modified to fit our needs.

LAN_INTERFACE="eth0"
EXT_INTERFACE="eth1"
LOOPBACK_INTERFACE="lo"

EXT_IPADDR="xx.xx.46.20"
EXT_ADDRESSES="xx.xx.46.0/24"
EXT_NETWORK="xx.xx.46.0"
EXT_BROADCAST="xx.xx.46.255"
GATEWAY_IPADDR="xx.xx.46.1"

ANYWHERE="any/0"
LAN="yy.yy.0.0/8"

LAN_IPADDR="yy.yy.98.5"
LAN_ADDRESSES="yy.yy.98.0/24"

#######################################################################
#  Internal:  Incoming SMTP (TCP Port 25)                             #
#######################################################################
iptables -A INPUT -i $LAN_INTERFACE -p tcp \
         -s $LAN --sport $UNPRIVPORTS \
         -d $LAN_IPADDR --dport 25 -j ACCEPT

iptables -A OUTPUT -o $LAN_INTERFACE -p tcp \
         -s $LAN_IPADDR --sport 25 \
         -d $LAN --dport $UNPRIVPORTS -j ACCEPT

 
#######################################################################
#  External:  Incoming SMTP (TCP Port 25)                             #
#######################################################################
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
         -s $ANYWHERE --sport $UNPRIVPORTS \
         -d $EXT_IPADDR --dport 25 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
         -d $ANYWHERE --dport $UNPRIVPORTS \
         -s $EXT_IPADDR --sport 25 -j ACCEPT
 

#######################################################################
#  External:  Outgoing SMTP (TCP Port 25)                             #
#######################################################################
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
         -s $EXT_IPADDR --sport $UNPRIVPORTS \
         -d $ANYWHERE --dport 25 \
         -m state --state NEW -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
         -d $EXT_IPADDR --dport $UNPRIVPORTS \
         -s $ANYWHERE --sport 25 \
         -m state --state ESTABLISHED -j ACCEPT


iptables -A FORWARD -i $EXT_INTERFACE -o $LAN_INTERFACE -p tcp \
         -s $LAN_ADDRESSES --sport $UNPRIVPORTS \
         -d $MAIL_SERVER --dport 25 \
         -m state --state NEW -j ACCEPT


My email server is running Sendmail.  Problem now is that the email filtering application is running on WIndows 2000 Server.  I was informed by the vendor, that I need to relay or forward all SMTP packets prior to hitting my POP server.  This filtering server only has one NIC with a private IP address (yy.yy.98.54) located in the same segment as the "LAN_INTERFACE".  It was suggested that I use iptables with DNAT.  Unfortunately, the last time I looked at my iptables script was a year ago.  Does anybody have any suggestion as to how I can pass SMTP packet through another server then back?  Any sample codes is greatly appreaciated.

Thank you!  In advance for your time on this matter.
0
Comment
Question by:CVCB-NetAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 13446882
Add:

iptables -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 25 -j DNAT --to yy.yy.n.n

where yy.yy.n.n is the IP of the machine runing the mail filter.
0
 

Author Comment

by:CVCB-NetAdmin
ID: 13447141
Excuse my ignorance, but iptables is somewhat a difficult subject for me.  Does this command go before the first section of the SMTP filtering?  

Again, thank you!  For your time on this matter.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13447441
it should replace your last posted iptables rule (that with the FORWARD chain)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:CVCB-NetAdmin
ID: 13454310
Removed the line below:

iptables -A FORWARD -i $EXT_INTERFACE -o $LAN_INTERFACE -p tcp \
         -s $LAN_ADDRESSES --sport $UNPRIVPORTS \
         -d $MAIL_SERVER --dport 25 \
         -m state --state NEW -j ACCEPT

Replaced it with:

iptables -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 25 -j DNAT --to yy.yy.n.n

Restarted my server and packets didn't get forwarded.  I do have the additional lines below that I thought might cause the problem for the packet not being forwarded.  These lines are located at the very top prior to any SMTP manipulation.  But this should not have any effect, right?  Any other suggestions.

Again, thank you!  For your time on this matter.

###########################################
#  Refuse spoofed packets pretending to be from you                   #
###########################################
iptables -A INPUT -s $EXT_IPADDR -j DROP
iptables -A INPUT -s $LAN_IPADDR -j DROP

iptables -A FORWARD -s $EXT_IPADDR -j DROP
iptables -A FORWARD -s $LAN_IPADDR -j DROP

iptables -A INPUT -i $EXT_INTERFACE -s $LAN_ADDRESSES -j DROP
iptables -A FORWARD -i $EXT_INTERFACE -s $LAN_ADDRESSES -j DROP

iptables -A FORWARD -i $LAN_INTERFACE -s ! $LAN_ADDRESSES -j DROP

iptables -A OUTPUT -o $EXT_INTERFACE -s ! $EXT_IPADDR -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13454462
> iptables -A FORWARD -i $LAN_INTERFACE -s ! $LAN_ADDRESSES -j DROP
this line drops your packets, they never reach the nat table
0
 

Author Comment

by:CVCB-NetAdmin
ID: 13454697
Okay.  So, when a packet reaches this line: "iptables -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 25 -j DNAT --to yy.yy.n.n" and this line is located in the middle of my firewall script, does the packet get re-evaluated again from the top?  If not, what can I use or do to trace as t what is going on when a packet arrives at my "EXT_INTERFACE"?

Again, thank you!
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1500 total points
ID: 13454846
hmm, think you should get more used to iptables chains :-)
packets go through PREROUTING then INPUT if the are for the host itself
they go through PREROUTING, then FORWARD, then OUTPUT and then POSTROUTING if they are forwarded

rules are checked according definition 'til the first rule matches (not explaining some exceptions here)
so if you use -A when building the rules, they are appended at the end of the corresponding chain
if you want a specific order you have to enshure it by uses your prefered sequence of iptable -A calls, or you need to insert them at a specific position using -I instead of -A

> ..does the packet get re-evaluated again from the top?
now you see, that this is the wrong question

> what can I use or do to trace as t what is going on when a packet arrives
tcpdump -l -n -i EXT_INTERFACE
tcpdump -l -n -i LAN_INTERFACE
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question