IPtables Forwarding and Loging
Dear Experts,
I need to forward all pop request receive on my external server to my local server.
Here is my iptables settings.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.80 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEP
1.1.1.1 is my external IP of Firewall Server
172.16.0.100 is Local IP of Firewall Server
172.16.0.80 is the IP of my webserver
172.16.0.25 is the IP of Mail Server
Firewall server running FC4 with SELinux Enabled.
Remaining servers running Redhat Linux 9.
Web traffic routed normally but the pop request can't forward to the local server.
I don't know wats wrong. One more thing i cant see any logging regarding IPTABLES. How i enable the logging through which I can trace where the problem exist.
Please help.
I need to forward all pop request receive on my external server to my local server.
Here is my iptables settings.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 172.16.0.80 -p tcp --sport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEP
1.1.1.1 is my external IP of Firewall Server
172.16.0.100 is Local IP of Firewall Server
172.16.0.80 is the IP of my webserver
172.16.0.25 is the IP of Mail Server
Firewall server running FC4 with SELinux Enabled.
Remaining servers running Redhat Linux 9.
Web traffic routed normally but the pop request can't forward to the local server.
I don't know wats wrong. One more thing i cant see any logging regarding IPTABLES. How i enable the logging through which I can trace where the problem exist.
Please help.
ASKER
Dear Kitti,
It can't help. I remove the POSTROUTING rules but still no change.
Any way thanks for help
It can't help. I remove the POSTROUTING rules but still no change.
Any way thanks for help
Try change this line from :-
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
To:-
iptables -t nat -A PREROUTING -p tcp --dport 110 -i eth1 -d 1.1.1.1 -j DNAT --to 172.16.0.25:110
And also these 2 lines:-
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
I guess your FORWARD is blocking the access. Try open up all the port110 connection first. Then we block it later.
Good Luck
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
To:-
iptables -t nat -A PREROUTING -p tcp --dport 110 -i eth1 -d 1.1.1.1 -j DNAT --to 172.16.0.25:110
And also these 2 lines:-
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -s 172.16.0.25 -p tcp --sport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -j ACCEPT
I guess your FORWARD is blocking the access. Try open up all the port110 connection first. Then we block it later.
Good Luck
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi XoF,
It's great. Its working now. But please please tell me where I was wrong. And one more thing I will give you a full points when u tell me how to check where is the problem or I mean how to check the log for IPtables.
Thanks any way.
It's great. Its working now. But please please tell me where I was wrong. And one more thing I will give you a full points when u tell me how to check where is the problem or I mean how to check the log for IPtables.
Thanks any way.
According logs:
iptables will only write logs, when you tell it to do so by use of the LOG-target. It won't write error logs. So the only debugging chance is
- manually fire one rule after the other and watch stderr
- iptables -Lnv
- brain ;-)
What has been wrong:
Hard to define. The first thing has already be mentioned by kiitii:
You only have to define Portforwarding and access-rules for one direction (the direction used for establishment of a connection). The way back is automagically done by the state-engine.
What my suggestion makes different from kiitii's, is the use of the -I option instead of -A. I'd guess, that you already had deny/deny-all rules in your setup, so that your FORWARD-rules didn't come to action anymore. The -I inserts the rules on top of the ruleset, so you can be sure, that the rules do not interfere with already existing rules....
You can verify my assumption by changing my ruleset to:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
If these rules do not work, the problem just was the order....
regards,
-XoF-
iptables will only write logs, when you tell it to do so by use of the LOG-target. It won't write error logs. So the only debugging chance is
- manually fire one rule after the other and watch stderr
- iptables -Lnv
- brain ;-)
What has been wrong:
Hard to define. The first thing has already be mentioned by kiitii:
You only have to define Portforwarding and access-rules for one direction (the direction used for establishment of a connection). The way back is automagically done by the state-engine.
What my suggestion makes different from kiitii's, is the use of the -I option instead of -A. I'd guess, that you already had deny/deny-all rules in your setup, so that your FORWARD-rules didn't come to action anymore. The -I inserts the rules on top of the ruleset, so you can be sure, that the rules do not interfere with already existing rules....
You can verify my assumption by changing my ruleset to:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 80 -j DNAT --to 172.16.0.80:80
iptables -t nat -A PREROUTING -p tcp -d 1.1.1.1 --dport 110 -j DNAT --to 172.16.0.25:110
iptables -A FORWARD -d 172.16.0.80 -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d 172.16.0.25 -p tcp --dport 110 -j ACCEPT
If these rules do not work, the problem just was the order....
regards,
-XoF-
Try to remove these 2 lines
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.80 --dport 80 -j SNAT --to 172.16.0.100
iptables -t nat -A POSTROUTING -p tcp -d 172.16.0.25 --dport 110 -j SNAT --to 172.16.0.100
Normally, you only need PREROUTING rules when you are hosting example for FTP. WEB, MAIL, POP3, IMAP4.
POSTROUTING rules is usually when users in LAN want to go out to internet.
Hope this helps