IPtables Forwarding and Loging

Dear Experts,
I need to forward all pop request receive on my external server to my local server.

Here is my iptables settings.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.80 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEP

1.1.1.1 is my external IP of Firewall Server
172.16.0.100 is Local IP of Firewall Server
172.16.0.80 is the IP of my webserver
172.16.0.25 is the IP of Mail Server

Firewall server running FC4 with SELinux Enabled.
Remaining servers running Redhat Linux 9.


Web traffic routed normally but the pop request can't forward to the local server.

I don't know wats wrong. One more thing i cant see any logging regarding IPTABLES. How i enable the logging through which I can trace where the problem exist.

Please help.


aatif786Cloud Infrastructure ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kiitiiCommented:
Hi,

Try to remove these 2 lines
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100

Normally, you only need PREROUTING rules when you are hosting example for FTP. WEB, MAIL, POP3, IMAP4.
POSTROUTING rules is usually when users in LAN want to go out to internet.

Hope this helps
aatif786Cloud Infrastructure ArchitectAuthor Commented:
Dear Kitti,

It can't help. I remove the POSTROUTING rules but still no change.

Any way thanks for help
kiitiiCommented:
Try change this line from :-
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110

To:-
iptables -t nat -A PREROUTING     -p tcp --dport 110     -i eth1    -d 1.1.1.1     -j DNAT    --to 172.16.0.25:110


And also these 2 lines:-
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEPT

iptables -A FORWARD -p tcp --dport 110  -j ACCEPT
iptables -A FORWARD -p tcp --sport 110  -j ACCEPT

I guess your FORWARD is blocking the access. Try open up all the port110 connection first. Then we block it later.

Good Luck
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

XoFCommented:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -I PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -I PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -I FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT

This should be enough for what you want. If it doesn't work, please post the output of
iptables -Lnv
iptables -t nat -Lnv
iptables -t mangle -Lnv

HTH,

-XoF-

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aatif786Cloud Infrastructure ArchitectAuthor Commented:
Hi XoF,

It's great. Its working now. But please please tell me where I was wrong. And one more thing I will give you a full points when u tell me how to check where is the problem or I mean how to check the log for IPtables.

Thanks any way.

XoFCommented:
According logs:
iptables will only write logs, when you tell it to do so by use of the LOG-target. It won't write error logs. So the only debugging chance is
- manually fire one rule after the other and watch stderr
- iptables -Lnv
- brain ;-)

What has been wrong:
Hard to define. The first thing has already be mentioned by kiitii:
You only have to define Portforwarding and access-rules for one direction (the direction used for establishment of a connection). The way back is automagically done by the state-engine.
What my suggestion makes different from kiitii's, is the use of the -I option instead of -A. I'd guess, that you already had deny/deny-all rules in your setup, so that your FORWARD-rules didn't come to action anymore. The -I inserts the rules on top of the ruleset, so you can be sure, that the rules do not interfere with already existing rules....

You can verify my assumption by changing my ruleset to:


iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT


If these rules do not work, the problem just was the order....


regards,

-XoF-
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.