Solved

Iptables Port Forwarding

Posted on 2006-07-07
10
335 Views
Last Modified: 2010-03-18
I'm trying to forward smtp port for a machine located in DMZ; below is my script, i have tried to simplify it as much as possibile to reduce the posibility of error but still no success:

#!/bin/bash

IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
PUBIP="81.196.XXX.XXX"
PRIVIP="10.0.0.1/24"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#curatam
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -A POSTROUTING -o $PUBIF -s 10.0.0.0/21 -j MASQUERADE

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.7:25
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 25 -j ACCEPT

tcpdump gives me :
00:25:36.674163 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:25:39.635597 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
0
Comment
Question by:cmargoi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 1

Author Comment

by:cmargoi
ID: 17067268
Common On .... No hint ?
0
 
LVL 14

Accepted Solution

by:
pablouruguay earned 250 total points
ID: 17076653
i have this
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
iptables -t nat -A PREROUTING  -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
0
 
LVL 40

Assisted Solution

by:noci
noci earned 250 total points
ID: 17095326
This probably is a tcpdump from the PUBIF....,
it more or less looks like it should... (nat rules are processed after the pcap capture...)
This is who a packet looks like when it enters you machine...., then nat for PREROUTING, then routing etc.

Is there a trace of evidence that packets leave your internal interface... ie a tcpdump of the PRIVIF would be nice too.
--

iptables -t nat -L -v

will show numbers between elipses  ( ) that indicate how often a chain is hit (packet count & bytecount).
Also in front of a rule is the number of packets /bytes that hit the rule.
Does it increase for the PREROUTING chain? and how about the rule?

In itself there is no problem with the rules AFAICT...
They can be optimized to not hit every matching packet but only trigger on the first tcp packet for a stream and let
the netfilter engine handle the states. ( hint "-m state --state NEW --syn")

--

Did you enable ip_forwarding?
for the kernel? (disabled by default).
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344144
i disagree.  i think is a split point with noci and me. we give the solution
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344220
Disagree with what exactly.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344273
sorry Cyclops. i saw other quesion with delete no refund yours and i think is this question ... sorry my fault

change i disagree with My suggestion is  

;)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344325
lol....np....already replied to that one btw

I pinged this one because I wanted cmargoi to give some feedback on this as this issue seems very straight forward to solve to me, and I'm sure you've seen it too, when its seems too straight forward, there is often some other piece of the problem that isn't introduced that is the real culprit.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question