Solved

Iptables Port Forwarding

Posted on 2006-07-07
10
302 Views
Last Modified: 2010-03-18
I'm trying to forward smtp port for a machine located in DMZ; below is my script, i have tried to simplify it as much as possibile to reduce the posibility of error but still no success:

#!/bin/bash

IPT=/sbin/iptables
PUBIF="eth0"
PRIVIF="eth1"
PUBIP="81.196.XXX.XXX"
PRIVIP="10.0.0.1/24"

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#curatam
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -A POSTROUTING -o $PUBIF -s 10.0.0.0/21 -j MASQUERADE

$IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to 10.0.0.7:25
$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 25 -j ACCEPT

tcpdump gives me :
00:25:36.674163 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
00:25:39.635597 IP 85.186.xxx.xxx.62752 > 81-196-xxx-xxx.smtp: S 3287938996:3287938996(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 0 0,nop,nop,sackOK>
0
Comment
Question by:cmargoi
10 Comments
 
LVL 1

Author Comment

by:cmargoi
ID: 17067268
Common On .... No hint ?
0
 
LVL 14

Accepted Solution

by:
pablouruguay earned 250 total points
ID: 17076653
i have this
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
iptables -t nat -A PREROUTING  -p tcp -d 200.4.28.6  --dport 25 -j DNAT  --to 192.168.1.143:25
0
 
LVL 40

Assisted Solution

by:noci
noci earned 250 total points
ID: 17095326
This probably is a tcpdump from the PUBIF....,
it more or less looks like it should... (nat rules are processed after the pcap capture...)
This is who a packet looks like when it enters you machine...., then nat for PREROUTING, then routing etc.

Is there a trace of evidence that packets leave your internal interface... ie a tcpdump of the PRIVIF would be nice too.
--

iptables -t nat -L -v

will show numbers between elipses  ( ) that indicate how often a chain is hit (packet count & bytecount).
Also in front of a rule is the number of packets /bytes that hit the rule.
Does it increase for the PREROUTING chain? and how about the rule?

In itself there is no problem with the rules AFAICT...
They can be optimized to not hit every matching packet but only trigger on the first tcp packet for a stream and let
the netfilter engine handle the states. ( hint "-m state --state NEW --syn")

--

Did you enable ip_forwarding?
for the kernel? (disabled by default).
0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344144
i disagree.  i think is a split point with noci and me. we give the solution
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344220
Disagree with what exactly.
0
 
LVL 14

Expert Comment

by:pablouruguay
ID: 17344273
sorry Cyclops. i saw other quesion with delete no refund yours and i think is this question ... sorry my fault

change i disagree with My suggestion is  

;)
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17344325
lol....np....already replied to that one btw

I pinged this one because I wanted cmargoi to give some feedback on this as this issue seems very straight forward to solve to me, and I'm sure you've seen it too, when its seems too straight forward, there is often some other piece of the problem that isn't introduced that is the real culprit.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Open BDS Pf 3 50
Linux alternative boot CD? 28 111
linux 2 99
Debian 8.5 networking quits working every couple of hours 13 101
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question