iptables, possible circular reference on port forward

I've set up iptables on my Linux router to forward ports to various hosts on a LAN subnet. All works well, except I appear to have forwarded port 25 back to the wrong place.

What I want is for Internet connections to the router on port 10025 to be forwarded to its local port 25.

I want Internet connections to the router on port 25 (actual mail) to be forwarded to IP 192.168.1.101, port 25. In iptables I have:

iptables -t nat -A PREROUTING -p tcp --dport 10025 -j REDIRECT --to-port 25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25

However, I get the following:

$  telnet mydomain.com 10025
Trying 64.129.xx.xx...
Connected to mydomain.com.
Escape character is '^]'.
220 router.mydomain.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 7 Oct 2013 01:50:53 -0400

$ telnet mydomain.com 25
Trying 64.129.xx.xx...
Connected to mydomain.com.
Escape character is '^]'.
220 router.mydomain.com ESMTP Sendmail 8.14.4/8.14.4; Mon, 7 Oct 2013 01:51:28 -0400

The 2nd telnet should have connected to host csscanweb1.mydomain.com, not router.mydomain.com

If, when logged onto router I telnet 192.168.1.101 25, I do get "220 cscanweb1".

Somehow, both port 10025 and 25 both route to the Linux router host from the Internet. What did I do wrong?
LVL 1
MarkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
I do not understand why would you want a NAT rule to be split in 2. Why not simply

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT --to-destination 192.168.1.101:25 ?

HTH,
Dan
0
Dan CraciunIT ConsultantCommented:
Oh, and if you wanted to add a rule that allows your internal traffic to reach your mail server, try this:
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25

Basically that says: send all traffic from eth1 (your internal network, 192.168.1.0) on port 25 to 192.168.1.101:25

HTH,
Dan
0
Dan CraciunIT ConsultantCommented:
Rereading your question, it seems that you want to use 192.168.1.101 as your "regular" mail server on port 25 and your router as a hidden mail server on port 10025.
So:
regular mail server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 192.168.1.101:25

hidden mail server:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT --to-destination 192.168.1.1:25

HTH,
Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

SandyCommented:
Make SMTP not open for public networks by blocking it with INPUT chain in iptables.
0
MarkAuthor Commented:
DanCraciun: > it seems that you want to use 192.168.1.101 as your "regular" mail server on port 25 and your router as a hidden mail server on port 10025.

Exactly right!

My setting: iptables -t nat -A PREROUTING -p tcp --dport 10025 -j REDIRECT --to-port 25

worked if I placed it after the DNAT  --to-destination entry. I suppose REDIRECT shouldn't be used in this case.

Your  --to-destination solution worked and is not position dependent.

Thanks!
0
MarkAuthor Commented:
Sandeep - I'll be posting a question about blocking ports soon. Stay tuned!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.