Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9656
  • Last Modified:

Redirect TCP Port with iptables - CentOS

I need to redirect incoming tcp port 25 on interface eth1 to another server all together on the same port. How can I do this with iptables?
0
technick
Asked:
technick
  • 4
1 Solution
 
gb-sdcCommented:
iptables -A PREROUTING -p tcp --dport 25 -i eth1 -j DNAT --to x.x.x.x
itpables -A FORWARD -p tcp --dport 25 -d x.x.x.x -j ACCEPT

Replace x.x.x.x with target IP address. This assumes that you do not need to pretend that the traffic originates from the machine running the iptables rules.
0
 
gb-sdcCommented:
sorry, that should be:

iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth1 -j DNAT --to x.x.x.x
itpables -A FORWARD -p tcp --dport 25 -d x.x.x.x -j ACCEPT

(it's been a while since I had to write these out)

you may also need to add:

iptables -t nat -A POSTROUTING -p tcp --dport 25 -s x.x.x.x -j SNAT --to y.y.y.y

(replace y.y.y.y with eth1 IP address)
0
 
gb-sdcCommented:
another typo: the POSTROUTING rule should use --sport:

iptables -t nat -A POSTROUTING -p tcp --sport 25 -s x.x.x.x -j SNAT --to y.y.y.y
0
 
technickAuthor Commented:
Could you help me write this into my current rules please.

 Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 64.125.51.172 -i eth1 --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Here is a description of my setup. I have a Barracude Spam Wall which screens all incoming mail then hands it off to the mail server for delivery. To force all mail thru my barracuda spam wall I blocked port 25 for everybody except my spam wall. How can I integrate the follow rules in and have it not effect my current setup.

Some spam filters attempt to verify my out going mail server by connecting back on port 25 and since its blocked the verification fails.
0
 
gb-sdcCommented:
Here are the rules that should do what you want. Your solution is not ideal though (see below).

I assume that 64.125.51.172 is your Barracuda box.

Replace x.x.x.x with the IP address of eth1

---
# Generated by iptables-save v1.3.6 on Thu Aug  2 23:35:49 2007
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Thu Aug  2 23:35:49 2007
# Generated by iptables-save v1.3.6 on Thu Aug  2 23:35:49 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s ! 64.125.51.172 -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 64.125.51.172
-A POSTROUTING -d 64.125.51.172 -o eth1 -p tcp -m tcp --dport 25 -j SNAT --to-source x.x.x.x
COMMIT
# Completed on Thu Aug  2 23:35:49 2007
# Generated by iptables-save v1.3.6 on Thu Aug  2 23:35:49 2007
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -s 64.125.51.172 -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
-A FORWARD -d 64.125.51.172 -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
# Completed on Thu Aug  2 23:35:49 2007
---

The reason this is not ideal is that the logs of the message headers will contain bogus information that all email messages originated from the box running the above rules. This obviously makes any attempt to trace the sender of the message rather unreliable.

A better solution would be to direct all incoming/outgoing mail to the Barracuda box via MX records.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now