Iptables Port Forwarding

I'm trying to forward smtp port for a machine located in DMZ; below is my script, i have tried to simplify it as much as possibile to reduce the posibility of error but still no success:

#!/bin/bash

IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
PUBIP="81.196.XXX.XXX"
PRIVIP="10.0.0.1/24"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#curatam
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -A POSTROUTING -o $PUBIF -s 10.0.0.0/21 -j MASQUERADE

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.7:25
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 25 -j ACCEPT

tcpdump gives me :
00:25:36.674163 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:25:39.635597 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
LVL 1
cmargoiAsked:
Who is Participating?
 
pablouruguayConnect With a Mentor Commented:
i have this
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
iptables -t nat -A PREROUTING  -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
0
 
cmargoiAuthor Commented:
Common On .... No hint ?
0
 
nociConnect With a Mentor Software EngineerCommented:
This probably is a tcpdump from the PUBIF....,
it more or less looks like it should... (nat rules are processed after the pcap capture...)
This is who a packet looks like when it enters you machine...., then nat for PREROUTING, then routing etc.

Is there a trace of evidence that packets leave your internal interface... ie a tcpdump of the PRIVIF would be nice too.
--

iptables -t nat -L -v

will show numbers between elipses  ( ) that indicate how often a chain is hit (packet count & bytecount).
Also in front of a rule is the number of packets /bytes that hit the rule.
Does it increase for the PREROUTING chain? and how about the rule?

In itself there is no problem with the rules AFAICT...
They can be optimized to not hit every matching packet but only trigger on the first tcp packet for a stream and let
the netfilter engine handle the states. ( hint "-m state --state NEW --syn")

--

Did you enable ip_forwarding?
for the kernel? (disabled by default).
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
pablouruguayCommented:
i disagree.  i think is a split point with noci and me. we give the solution
0
 
Cyclops3590Commented:
Disagree with what exactly.
0
 
pablouruguayCommented:
sorry Cyclops. i saw other quesion with delete no refund yours and i think is this question ... sorry my fault

change i disagree with My suggestion is  

;)
0
 
Cyclops3590Commented:
lol....np....already replied to that one btw

I pinged this one because I wanted cmargoi to give some feedback on this as this issue seems very straight forward to solve to me, and I'm sure you've seen it too, when its seems too straight forward, there is often some other piece of the problem that isn't introduced that is the real culprit.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.