i'm having a problem viewing logs on forwarded ports from the firewall to another server, i forwarded mail(port 25) from the firewall to an internal server. The problem is when i try to view the logs it just shows the firewall ip as the sender and not the original sender.
On Thu, 2005-05-19 at 21:08 +0800, Mark Quitoriano wrote:
In reality, the firewall may be making the connection to the internal server... and not the external machine. Especially if the internal server is on a 192.168.x.x or 10.x.x.x network and you are connecting via NAT. If that is the case, the external machine is connecting to the firewall and the firewall is connecting to the internal server.
If you're doing true port forwarding, the internal server should see the ip address of the external machine in its logs.
This is how my machines log that do this, I use this type of entry in iptables:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 10.198.0.17
P.
Johnny Hughes wrote:
On Thu, 2005-05-19 at 14:31 +0100, Peter Farrow wrote:
Agreed ... I just checked and indeed you should see the external IP in the logs (and in netstat) ... so just ignore the bunk that I said before :)
-----------------------------------------------------------------
If true port forwarding is set ... then this statement (by me) is WRONG :) ------------------------------------------------------------------
here's how i did mine
iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT --to-destination 10.0.0.1
iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx
because the firewall has different ip than my mail server
On 5/19/05, Peter Farrow peter@farrows.org wrote:
On Thu, 2005-05-19 at 21:44 +0800, Mark Quitoriano wrote:
here's how i did mine
You are forwarding it twice
Is 10.0.0.1 the internal interface of the firewall (that contains -d xxx.xxx.xxx.xxx) or is it a seperate machine
If it is on the same machine, try this (assuming you have a FORWARD rule too):
iptables -A FORWARD -i $EXTIF -p tcp --dport 25 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 \ -j DNAT --to xxx.xxx.xxx.xxx
($EXTIF is the external insterface {eth0, eth1, etc.}, $EXTIP is the external IP address)
If you are doing it like this as you have indicated,
iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT --to-destination 10.0.0.1
iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx
Then thats why your mail server logs the ip address of the firewall.... because of the POSTROUTING line above and the fact that you DNAT'ed to an ipaddress that you then SNAT'ed out onto the LAN.
Its no problem and expected that your mail server has a different IP to your firewall, in this case you will need to make sure that the. packets you've destination NAT'ed are allowed through the forward chain as Johnny Hughes has indicated below.
P.
Johnny Hughes wrote:
@ john et al
ei tnx guys i tried john's syntax and it work :)
@peter anyway the second one(where the snat is) why i put it in the script because i thought i need to send back the packets to the firewall so the firewall will send it back to the sender. But when i tired john's syntax it sends back without the snat syntax. why is that?
On 5/19/05, Peter Farrow peter@farrows.org wrote:
hi guys i got another problem...
as i said the last post i used john's syntax for my iptables and it worked fine outside the internet but my local user can't access it on there browser.
On 5/20/05, Mark Quitoriano markquitoriano@gmail.com wrote:
how can i do this? about my problem how can i tell firewall if the source is 10.0.0.1 and sending it to 10.0.0/24 he well send it to eth1 interface?
there's no such thing as -j eth1 right?
On 5/20/05, Mark Quitoriano markquitoriano@gmail.com wrote:
On Fri, 2005-05-20 at 22:14 +0800, Mark Quitoriano wrote:
What I do is have an internal DNS server that does internal IPS for my domain (it is listed as Primary, no secondaries, for my domain). Internally, mail.hughesjr.com has the internal address .... externally it real address.
Internal clients point to the internal DNS server (and internal IP) ... external clients point to the external IP.
well yes it can be a walkaround but i'm looking for something in firewall level.
On 5/20/05, Johnny Hughes mailing-lists@hughesjr.com wrote:
you can use the "view" setup in bind to create different resolutions for different networks
http://www.zytrax.com/books/dns/ch7/view.html
Johnny Hughes wrote:
I'd recommend getting firewall builder, setting it up as you want, then insoecing /etc/sysconfig/iptables to see the rules created. http://www.fwbuilder.org/
Johnny Hughes wrote:
-
Johnny Hughes -
Mark Quitoriano -
Peter Farrow -
Ryan