• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

IPtables Forwarding and Loging

Dear Experts,
I need to forward all pop request receive on my external server to my local server.

Here is my iptables settings.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.80 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEP

1.1.1.1 is my external IP of Firewall Server
172.16.0.100 is Local IP of Firewall Server
172.16.0.80 is the IP of my webserver
172.16.0.25 is the IP of Mail Server

Firewall server running FC4 with SELinux Enabled.
Remaining servers running Redhat Linux 9.


Web traffic routed normally but the pop request can't forward to the local server.

I don't know wats wrong. One more thing i cant see any logging regarding IPTABLES. How i enable the logging through which I can trace where the problem exist.

Please help.


0
aatif786
Asked:
aatif786
  • 2
  • 2
  • 2
1 Solution
 
kiitiiCommented:
Hi,

Try to remove these 2 lines
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100

Normally, you only need PREROUTING rules when you are hosting example for FTP. WEB, MAIL, POP3, IMAP4.
POSTROUTING rules is usually when users in LAN want to go out to internet.

Hope this helps
0
 
aatif786Cloud Infrastructure ArchitectAuthor Commented:
Dear Kitti,

It can't help. I remove the POSTROUTING rules but still no change.

Any way thanks for help
0
 
kiitiiCommented:
Try change this line from :-
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110

To:-
iptables -t nat -A PREROUTING     -p tcp --dport 110     -i eth1    -d 1.1.1.1     -j DNAT    --to 172.16.0.25:110


And also these 2 lines:-
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEPT

iptables -A FORWARD -p tcp --dport 110  -j ACCEPT
iptables -A FORWARD -p tcp --sport 110  -j ACCEPT

I guess your FORWARD is blocking the access. Try open up all the port110 connection first. Then we block it later.

Good Luck
0
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

 
XoFCommented:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -I PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -I PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -I FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT

This should be enough for what you want. If it doesn't work, please post the output of
iptables -Lnv
iptables -t nat -Lnv
iptables -t mangle -Lnv

HTH,

-XoF-
0
 
aatif786Cloud Infrastructure ArchitectAuthor Commented:
Hi XoF,

It's great. Its working now. But please please tell me where I was wrong. And one more thing I will give you a full points when u tell me how to check where is the problem or I mean how to check the log for IPtables.

Thanks any way.

0
 
XoFCommented:
According logs:
iptables will only write logs, when you tell it to do so by use of the LOG-target. It won't write error logs. So the only debugging chance is
- manually fire one rule after the other and watch stderr
- iptables -Lnv
- brain ;-)

What has been wrong:
Hard to define. The first thing has already be mentioned by kiitii:
You only have to define Portforwarding and access-rules for one direction (the direction used for establishment of a connection). The way back is automagically done by the state-engine.
What my suggestion makes different from kiitii's, is the use of the -I option instead of -A. I'd guess, that you already had deny/deny-all rules in your setup, so that your FORWARD-rules didn't come to action anymore. The -I inserts the rules on top of the ruleset, so you can be sure, that the rules do not interfere with already existing rules....

You can verify my assumption by changing my ruleset to:


iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT


If these rules do not work, the problem just was the order....


regards,

-XoF-
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now