Hi,
I have an DNAT ISSUE with PREROUTING.
This is my setup.
I have 2 firewalls running iptables.
Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall. 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 192.168.100.3
Now I want to DNAT port 25 of FISRT firewall (i.e - its ip address - 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall. That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone.
These are rules I have added.
FIRST firewall (its internet ip address - 1.2.3.4/29) I have addes below rule.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT --to-destination 2.3.4.5:25
That should forward port 25 to SECOND firewall. in SECOND firewall, I have added 2 below rules.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT --to-destination 192.168.100.3:25
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW -j ACCEPT
Now, it should forward port 25 to mail server @ DMZ Zone.
I think I have added these rules properly. But, It does not work.
I checked from outside world . I telneted to port 25 of first firewaal. Then, It should forward to mail server @ DMZ zone. But, no responce.
WHY is that?
YOUR IDEAS?
Without all the rules, it's not easy to reply. Your NAT rules looks fine but some filter are missing (I thing). FW1 should also accept to FORWARD port 25
If you use rules including --state NEW, you must have other rules like
iptables -t filter -A INPUT/FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The best way for you is to troubleshot you firewalls using tcpdump. Open 2 terminal on each of your firewall, run # tcpdump -n -i eth0 port 25 and # tcpdump -n -i eth1 port 25
Then make some telnet on port 25 to understand what is happening. Verify packet are going through your firewall and their are well NAT and DNAT.
On 9/25/07, Indunil Jayasooriya indunil75@gmail.com wrote:
Hi,
I have an DNAT ISSUE with PREROUTING.
This is my setup.
I have 2 firewalls running iptables.
Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall. 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 192.168.100.3
Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall. That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone.
These are rules I have added.
FIRST firewall (its internet ip address - 1.2.3.4/29) I have addes below rule.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT --to-destination 2.3.4.5:25
That should forward port 25 to SECOND firewall. in SECOND firewall, I have added 2 below rules.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT --to-destination 192.168.100.3:25
iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW -j ACCEPT
Now, it should forward port 25 to mail server @ DMZ Zone.
I think I have added these rules properly. But, It does not work.
I checked from outside world . I telneted to port 25 of first firewaal. Then, It should forward to mail server @ DMZ zone. But, no responce.
WHY is that?
YOUR IDEAS?
-- Thank you Indunil Jayasooriya
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alain Spineux -
Indunil Jayasooriya