• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 421
  • Last Modified:

IPtables Forwarding and Loging

Dear Experts,
I need to forward all pop request receive on my external server to my local server.

Here is my iptables settings.

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.80 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEP

1.1.1.1 is my external IP of Firewall Server
172.16.0.100 is Local IP of Firewall Server
172.16.0.80 is the IP of my webserver
172.16.0.25 is the IP of Mail Server

Firewall server running FC4 with SELinux Enabled.
Remaining servers running Redhat Linux 9.


Web traffic routed normally but the pop request can't forward to the local server.

I don't know wats wrong. One more thing i cant see any logging regarding IPTABLES. How i enable the logging through which I can trace where the problem exist.

Please help.


0
aatif786
Asked:
aatif786
  • 2
  • 2
  • 2
1 Solution
 
kiitiiCommented:
Hi,

Try to remove these 2 lines
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100

Normally, you only need PREROUTING rules when you are hosting example for FTP. WEB, MAIL, POP3, IMAP4.
POSTROUTING rules is usually when users in LAN want to go out to internet.

Hope this helps
0
 
aatif786Author Commented:
Dear Kitti,

It can't help. I remove the POSTROUTING rules but still no change.

Any way thanks for help
0
 
kiitiiCommented:
Try change this line from :-
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110

To:-
iptables -t nat -A PREROUTING     -p tcp --dport 110     -i eth1    -d 1.1.1.1     -j DNAT    --to 172.16.0.25:110


And also these 2 lines:-
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEPT

iptables -A FORWARD -p tcp --dport 110  -j ACCEPT
iptables -A FORWARD -p tcp --sport 110  -j ACCEPT

I guess your FORWARD is blocking the access. Try open up all the port110 connection first. Then we block it later.

Good Luck
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
XoFCommented:
iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -I PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -I PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -I FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -I FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT

This should be enough for what you want. If it doesn't work, please post the output of
iptables -Lnv
iptables -t nat -Lnv
iptables -t mangle -Lnv

HTH,

-XoF-
0
 
aatif786Author Commented:
Hi XoF,

It's great. Its working now. But please please tell me where I was wrong. And one more thing I will give you a full points when u tell me how to check where is the problem or I mean how to check the log for IPtables.

Thanks any way.

0
 
XoFCommented:
According logs:
iptables will only write logs, when you tell it to do so by use of the LOG-target. It won't write error logs. So the only debugging chance is
- manually fire one rule after the other and watch stderr
- iptables -Lnv
- brain ;-)

What has been wrong:
Hard to define. The first thing has already be mentioned by kiitii:
You only have to define Portforwarding and access-rules for one direction (the direction used for establishment of a connection). The way back is automagically done by the state-engine.
What my suggestion makes different from kiitii's, is the use of the -I option instead of -A. I'd guess, that you already had deny/deny-all rules in your setup, so that your FORWARD-rules didn't come to action anymore. The -I inserts the rules on top of the ruleset, so you can be sure, that the rules do not interfere with already existing rules....

You can verify my assumption by changing my ruleset to:


iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT


If these rules do not work, the problem just was the order....


regards,

-XoF-
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now