[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Iptables Port Forwarding

Posted on 2006-07-07
10
Medium Priority
?
349 Views
Last Modified: 2010-03-18
I'm trying to forward smtp port for a machine located in DMZ; below is my script, i have tried to simplify it as much as possibile to reduce the posibility of error but still no success:

#!/bin/bash

IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
PUBIP="81.196.XXX.XXX"
PRIVIP="10.0.0.1/24"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#curatam
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -A POSTROUTING -o $PUBIF -s 10.0.0.0/21 -j MASQUERADE

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.7:25
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 25 -j ACCEPT

tcpdump gives me :
00:25:36.674163 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:25:39.635597 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
0
Comment
Question by:cmargoi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Author Comment

by:cmargoi
ID: 17067268
Common On .... No hint ?
0
 
LVL 14

Accepted Solution

by:
pablouruguay earned 1000 total points
ID: 17076653
i have this
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
iptables -t nat -A PREROUTING  -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
0
 
LVL 40

Assisted Solution

by:noci
noci earned 1000 total points
ID: 17095326
This probably is a tcpdump from the PUBIF....,
it more or less looks like it should... (nat rules are processed after the pcap capture...)
This is who a packet looks like when it enters you machine...., then nat for PREROUTING, then routing etc.

Is there a trace of evidence that packets leave your internal interface... ie a tcpdump of the PRIVIF would be nice too.
--

iptables -t nat -L -v

will show numbers between elipses  ( ) that indicate how often a chain is hit (packet count & bytecount).
Also in front of a rule is the number of packets /bytes that hit the rule.
Does it increase for the PREROUTING chain? and how about the rule?

In itself there is no problem with the rules AFAICT...
They can be optimized to not hit every matching packet but only trigger on the first tcp packet for a stream and let
the netfilter engine handle the states. ( hint "-m state --state NEW --syn")

--

Did you enable ip_forwarding?
for the kernel? (disabled by default).
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344144
i disagree.  i think is a split point with noci and me. we give the solution
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344220
Disagree with what exactly.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344273
sorry Cyclops. i saw other quesion with delete no refund yours and i think is this question ... sorry my fault

change i disagree with My suggestion is  

;)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344325
lol....np....already replied to that one btw

I pinged this one because I wanted cmargoi to give some feedback on this as this issue seems very straight forward to solve to me, and I'm sure you've seen it too, when its seems too straight forward, there is often some other piece of the problem that isn't introduced that is the real culprit.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question