[CentOS] DNAT PREROUTING issue with iptables
aspineux at gmail.com
Tue Sep 25 12:46:06 UTC 2007
Without all the rules, it's not easy to reply.
Your NAT rules looks fine but some filter are missing (I thing). FW1
should also accept to FORWARD port 25
If you use rules including --state NEW, you must have other rules like
iptables -t filter -A INPUT/FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
The best way for you is to troubleshot you firewalls using tcpdump.
Open 2 terminal on each of your firewall, run
# tcpdump -n -i eth0 port 25
# tcpdump -n -i eth1 port 25
Then make some telnet on port 25 to understand what is happening.
Verify packet are going through your firewall and their are well NAT
On 9/25/07, Indunil Jayasooriya <indunil75 at gmail.com> wrote:
> I have an DNAT ISSUE with PREROUTING.
> This is my setup.
> I have 2 firewalls running iptables.
> Pls asume 220.127.116.11/29 is the internet interace of FIRST firewall.
> 18.104.22.168/29 is the internet interface of SECOND firewall. it has DMZ zone. in
> that DMZ zone, mail server runnig @ 192.168.100.3
> Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address -
> 22.214.171.124/29) to the internet ip address ( 126.96.36.199/29) of SECOND firewall.
> That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone.
> These are rules I have added.
> FIRST firewall (its internet ip address - 188.8.131.52/29) I have addes below
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 184.108.40.206 --dport 25 -j DNAT
> --to-destination 220.127.116.11:25
> That should forward port 25 to SECOND firewall. in SECOND firewall, I have
> added 2 below rules.
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 18.104.22.168 --dport 25 -j DNAT
> --to-destination 192.168.100.3:25
> iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW
> -j ACCEPT
> Now, it should forward port 25 to mail server @ DMZ Zone.
> I think I have added these rules properly. But, It does not work.
> I checked from outside world . I telneted to port 25 of first firewaal.
> Then, It should forward to mail server @ DMZ zone.
> But, no responce.
> WHY is that?
> YOUR IDEAS?
> Thank you
> Indunil Jayasooriya
> CentOS mailing list
> CentOS at centos.org
aspineux gmail com
May the sources be with you
More information about the CentOS