[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Newbie trying to redirect port 26 to port 25 via iptables

Posted on 2007-10-08
20
Medium Priority
?
1,064 Views
Last Modified: 2013-12-16
I am trying to allow mail users to come in on port 26 as well as port 25 for those pesky ISPs out there that are blocking outbound port 25 traffic.  I need users to use my mail server though, so I need to get around the ISP.

I googled and found this suggestion:

iptables -t nat -A PREROUTING -t nat -p tcp -d [myiphere] --dport 26 -j DNAT --to [myiphere]:25

But while there is no error produced when I type that, it also does not result in me being able to connect to port 26.  (I tried from the console and externally both)

The sytem I'm on now is running Fedora Core 4 and I believe is running sendmail for mail handling.  I'm fairly new to this server though, so I'm still learning and honestly I'm nowhere close to a linux master either so most of my administration is done via web interfaces and with the help of google searches.

Thanks in advance!
0
Comment
Question by:archaic0
  • 10
  • 7
  • 2
  • +1
20 Comments
 
LVL 13

Expert Comment

by:WizRd-Linux
ID: 20038624
iptables -t nat -A PREROUTING -p TCP --dport 26 -j REDIRECT --to-port 25

This should get you going, this means anything destined for port 26 will redirect to port 25 regardless of the IP address.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 20039612
1. why haven't You posted the generated error message?
2. the above will not work for locally spawned connections (use OUTPUT chain from nat table)
2. -j DNAT is used for redirecting to other machines from the firewall itself
0
 

Author Comment

by:archaic0
ID: 20042167
ravenpl:
1.  No error message was generated by the code I posted.  It seems to accept it, but the expected result does not happen.
2.  I don't really need locally spawned connections to work, I was just testing locally.  My concern is with external users.
3.  Understood.  I copied that code from an example online.  Surprise that it doesn't fit me exactly.  *smile*

WizRd-Linux:
That line of code when pasted into my console produces this error:

iptables: No chain/target/match by that name

I've seen a "$" in front of some example commands, and if I put that in front of yours then I don't get an error.  What is the significance of this?

Either way, I was still not able to telnet to port 26.  Is there something I can copy and paste for you so you can see what the current status of things is?  I've run a couple variations on this command now and some of them did not produce error, but did not allow access eiher.  Maybe there is a rule in place now that is incorrect and conflicting?

(and I am restarting the iptables service after every attempted change)


0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 43

Expert Comment

by:ravenpl
ID: 20043716
> (and I am restarting the iptables service after every attempted change)
Don't, it flushes previous values and sets up default config.

Do You have two NICs installed on Your router? Can You draw the network diagram? Can You tell which host is trying to reach port26 of the router?
0
 

Author Comment

by:archaic0
ID: 20044511
OK, so no more restart.  But if I restart the machine, then isn't that the same thing and will it then undo whatever change I make?  Or does only the restart service command flush values?

Still, the current suggestion:
iptables -t nat -A PREROUTING -p TCP --dport 26 -j REDIRECT --to-port 25

Produces this error:  
iptables: No chain/target/match by that name

So at this time I don't have a successful change to be saved.

I do not have two NICs

My machine is a linux VPS with a static public behind a cisco router on a DMZ.

I haven't looked to see if I can find a log of hosts being denied (wouldn't know where to look) I'm just trying myself to connect on port 26 and being denied.

My testing method is simply to use telnet to connect to my host name on port 26.  I can connect without fail on 25.  Trying to connect on port 26 results in a connect failure.

0
 
LVL 43

Expert Comment

by:ravenpl
ID: 20046547
iptables -t nat -A PREROUTING -p TCP --dport 26 -j REDIRECT --to-ports 25
#note the --to-ports
if it still fails, then You probably have no nat table compiled into the kernel.

to save config permanently: /etc/init.d/iptables save

> I do not have two NICs
Then how remote users gets routed by Your host? Do You have multiple vlans configured on the single NIC?
0
 

Author Comment

by:archaic0
ID: 20049112

Remote users aren't in need of routing, this machine is the only destination.  It's a web server.

While I have root access, it is a purchased VPS from 1&1 hosting so I don't think I can acomplish a new kernal compile.

Is there any other way to acomplish the port re-direct without NAT and iptables?

Can I set the mail server to listen on both 25 and 26?  (now wer're stepping out of the security field, but maybe...)

0
 
LVL 43

Expert Comment

by:ravenpl
ID: 20051679
> Is there any other way to acomplish the port re-direct without NAT and iptables?
Yes. Lot's of them. i use xinetd
http://www.collaborium.org/onsite/benin/lectures/christian/security/SLIDES/img36.html
But one drawback - source address of connection is lost.

> Can I set the mail server to listen on both 25 and 26?  (now wer're stepping out of the security field, but maybe...)
Yes, which server?

Have You tried with --to-ports instead of --to-port?
0
 

Author Comment

by:archaic0
ID: 20051910
Yes, I tried the plural ports syntax, same error.

I'm running sendmail.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 20051967
0
 

Author Comment

by:archaic0
ID: 20052741
ok, crap, I thought I was running sendmail, but it looks like it's qmail instead... I'll try that same google search with qmail.
0
 

Author Comment

by:archaic0
ID: 20052946
those search results were not nearly as helpful as the sendmail ones.  The results I found are referencing files that don't exist on my server.  Like the supervise directory.

I did verify with 'lsof' that when I telnet into my server on port 25, the connection is picked up by 'qmail-smt' which I assume is just 'qmail-smtpd' truncated.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 20055106
For qmail, You probably have tcpserver listening on port25. For qmail it's even easier. But first, find out who is listening on port25

netstat -ltnp | grep :25
it will show something like
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      2585/tcpserver

then: ps axw | grep 2585 # pid of the listening process
 2585 ?        S      0:18 tcpserver -R -x /opt/qmail/control/tcp.smtp.cdb -c 50 -v -u 201 -g 200 0 smtp qmail-smtpd domain.com smtpchkpwd

all You need is to run another process for port26
tcpserver -R -x /opt/qmail/control/tcp.smtp.cdb -c 50 -v -u 201 -g 200 0 26 qmail-smtpd domain.com smtpchkpwd
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 20062879
Hi

the only problem I can see with this rule:
iptables -t nat -A PREROUTING -p TCP --dport 26 -j REDIRECT --to-port 25

is it has TCP in uppercase :-)

use this and it should work:
iptables -t nat -A PREROUTING -p tcp --dport 26 -j REDIRECT --to-port 25

of course, you need a program listening on port 25 (email server)

0
 

Author Comment

by:archaic0
ID: 20065648
Redimido:  same error:  (I tried the plural ports like previously suggested too)

[root@s15265643 ~]# iptables -t nat -A PREROUTING -p tcp --dport 26 -j REDIRECT --to-port 25
iptables: No chain/target/match by that name

[root@s15265643 ~]# iptables -t nat -A PREROUTING -p tcp --dport 26 -j REDIRECT --to-ports 25
iptables: No chain/target/match by that name


Ravenpl:  Here is a transcript

[root@s15265643 ~]# netstat -ltnp | grep :25
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      9794/xinetd
[root@s15265643 ~]# ps axw |grep 9794
 9794 ?        Ss     0:02 xinetd -stayalive -pidfile /var/run/xinetd.pid
 7437 pts/0    S+     0:00 grep 9794
[root@s15265643 ~]#

So 'xinetd' is the process?  Your example seemed easy, but my results don't make mine look that easy.

This is my lsof results:

[root@s15265643 ~]# lsof | grep itpart
sshd       5504   root    3u  IPv4           11222276                TCP s15265643.onlinehome-server.com:ssh->smtp.itpartnergroup.com:3564 (ESTABLISHED)
qmail-smt  9461 qmaild    0u  IPv4           11229047                TCP s15265643.onlinehome-server.com:smtp->smtp.itpartnergroup.com:4178 (ESTABLISHED)
qmail-smt  9461 qmaild    1u  IPv4           11229047                TCP s15265643.onlinehome-server.com:smtp->smtp.itpartnergroup.com:4178 (ESTABLISHED)
qmail-smt  9461 qmaild    2u  IPv4           11229047                TCP s15265643.onlinehome-server.com:smtp->smtp.itpartnergroup.com:4178 (ESTABLISHED)
[root@s15265643 ~]#

And here is my ps ax:

[root@s15265643 ~]# ps ax
  PID TTY      STAT   TIME COMMAND
    1 ?        Ss     0:00 init [3]
 9756 ?        Ss     0:00 syslogd -m 0
 9773 ?        Ssl    0:00 /usr/sbin/named -u named -n1 -c /etc/named.conf -u named -t /var/named/run-root
 9786 ?        Ss     0:00 /usr/sbin/sshd
 9794 ?        Ss     0:02 xinetd -stayalive -pidfile /var/run/xinetd.pid
 9855 ?        S      0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/my.cnf --pid-file=/var/run/mysqld/mysqld.pid
 9889 ?        Sl     0:05 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-
 9947 ?        S      0:01 qmail-send
 9949 ?        S      0:00 splogger qmail
 9950 ?        S      0:00 qmail-lspawn ./Maildir/
 9951 ?        S      0:00 qmail-rspawn
 9952 ?        S      0:00 qmail-clean
 9971 ?        Ss     0:00 /usr/sbin/httpd
10048 ?        Ss     0:00 /usr/local/psa/admin/bin/httpsd
10052 ?        S      0:00 /usr/local/psa/admin/bin/httpsd
10068 ?        Ss     0:00 crond
11499 ?        S      0:00 /usr/sbin/httpd
29809 ?        S      0:00 /usr/sbin/httpd
13544 ?        S      0:00 /usr/sbin/httpd
32647 ?        S      0:00 /usr/local/psa/admin/bin/httpsd
 5504 ?        Rs     0:00 sshd: root@pts/0
 5658 pts/0    Ss     0:00 -bash
 9461 ?        Ss     0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
 9748 pts/0    R+     0:00 ps ax
[root@s15265643 ~]#

0
 
LVL 43

Accepted Solution

by:
ravenpl earned 2000 total points
ID: 20067401
> tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      9794/xinetd
Even better.
go to directory /etc/xinet.d/
copy file called smtp to smtp26
edit the newly created smtp26 file and make sure it starts with
 service smtp26
line instead of
 service smtp

and contains following entries
        type = UNLISTED
        port = 26
        protocol = tcp
all other entries leave as they are. Restart xinetd service
/etc/init.d/xinetd restart
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 20078317
iptables: No chain/target/match by that name

That message is usually associated with a syntax error or a missing module.

Since syntax is correct, then it points into the correct module not loaded.

try

depmod -a
iptables -t filter -L
iptables -t nat -L

to see if these tables are present.

you can also try loading these modules by yourself:
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe ipt_state
/sbin/modprobe ipt_recent
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_conntrack

and then try the rule again.
0
 

Author Comment

by:archaic0
ID: 20078425
Woo Hoo!

I have an answer on port 26.

Thanks for sticking with it.  I'm upping the points to 500 for sticking in there with me.

A few things were strange, but your instructions were applicable anyway.

I have two smtp files in that directory, smtp_psa and smtps_psa.  So I copied the smtp_psa and did as you said.

Here is that file as it sits now.
----
service smtp26
{
        type            = UNLISTED
        port            = 26
        socket_type     = stream
        protocol        = tcp
        wait            = no
        disable         = no
        user            = root
        instances       = UNLIMITED
        server          = /var/qmail/bin/tcp-env
        server_args     = /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
}
----

I got an SMTP answer when I telnetted to port 26 this time so all is well.

0
 

Author Comment

by:archaic0
ID: 20078450
those commands all resulted in empty results.  They did not error, they came back with this:

[root@s15265643 xinetd.d]# iptables -t filter -L
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

iptables simply isn't set up fully on this machine.  I may look into that next.
0
 

Author Comment

by:archaic0
ID: 20078458
Increase deserved.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month19 days, 4 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question