Solved

Iptables Port Forwarding

Posted on 2006-07-07
10
328 Views
Last Modified: 2010-03-18
I'm trying to forward smtp port for a machine located in DMZ; below is my script, i have tried to simplify it as much as possibile to reduce the posibility of error but still no success:

#!/bin/bash

IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
PUBIP="81.196.XXX.XXX"
PRIVIP="10.0.0.1/24"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#curatam
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -A POSTROUTING -o $PUBIF -s 10.0.0.0/21 -j MASQUERADE

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.7:25
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 25 -j ACCEPT

tcpdump gives me :
00:25:36.674163 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:25:39.635597 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
0
Comment
Question by:cmargoi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Author Comment

by:cmargoi
ID: 17067268
Common On .... No hint ?
0
 
LVL 14

Accepted Solution

by:
pablouruguay earned 250 total points
ID: 17076653
i have this
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
iptables -t nat -A PREROUTING  -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
0
 
LVL 40

Assisted Solution

by:noci
noci earned 250 total points
ID: 17095326
This probably is a tcpdump from the PUBIF....,
it more or less looks like it should... (nat rules are processed after the pcap capture...)
This is who a packet looks like when it enters you machine...., then nat for PREROUTING, then routing etc.

Is there a trace of evidence that packets leave your internal interface... ie a tcpdump of the PRIVIF would be nice too.
--

iptables -t nat -L -v

will show numbers between elipses  ( ) that indicate how often a chain is hit (packet count & bytecount).
Also in front of a rule is the number of packets /bytes that hit the rule.
Does it increase for the PREROUTING chain? and how about the rule?

In itself there is no problem with the rules AFAICT...
They can be optimized to not hit every matching packet but only trigger on the first tcp packet for a stream and let
the netfilter engine handle the states. ( hint "-m state --state NEW --syn")

--

Did you enable ip_forwarding?
for the kernel? (disabled by default).
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344144
i disagree.  i think is a split point with noci and me. we give the solution
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344220
Disagree with what exactly.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344273
sorry Cyclops. i saw other quesion with delete no refund yours and i think is this question ... sorry my fault

change i disagree with My suggestion is  

;)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344325
lol....np....already replied to that one btw

I pinged this one because I wanted cmargoi to give some feedback on this as this issue seems very straight forward to solve to me, and I'm sure you've seen it too, when its seems too straight forward, there is often some other piece of the problem that isn't introduced that is the real culprit.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question