[CentOS] iptables port forwarding

Thu May 19 14:07:15 UTC 2005
Peter Farrow <peter at farrows.org>

If you are doing it like this as you have indicated,

iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT
--to-destination 10.0.0.1

iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx


Then thats why your mail server logs the ip address of the firewall.... 
because of the POSTROUTING  line above and the fact that you DNAT'ed to 
an ipaddress that you then SNAT'ed out onto the LAN.

Its no problem and expected that your mail server has a different IP to 
your firewall, in this case you will need to make sure that
the. packets you've destination NAT'ed are allowed through the forward 
chain as Johnny Hughes has indicated below.

P.


Johnny Hughes wrote:

>On Thu, 2005-05-19 at 21:44 +0800, Mark Quitoriano wrote:
>  
>
>>here's how i did mine
>>    
>>
>
>  
>
>>iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT
>>--to-destination 10.0.0.1
>>
>>iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx
>>
>>because the firewall has different ip than my mail server
>>
>>    
>>
>You are forwarding it twice
>
>Is 10.0.0.1 the internal interface of the firewall (that contains -d
>xxx.xxx.xxx.xxx) or is it a seperate machine
>
>If it is on the same machine, try this (assuming you have a FORWARD rule
>too):
>
>iptables -A FORWARD -i $EXTIF -p tcp  --dport 25 -m state \
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
>iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 \
> -j DNAT --to xxx.xxx.xxx.xxx
>
>($EXTIF is the external insterface {eth0, eth1, etc.}, $EXTIP is the
>external IP address)
>
>  
>
>>On 5/19/05, Peter Farrow <peter at farrows.org> wrote:
>>    
>>
>>>If you're doing true port forwarding, the internal server should see the
>>>ip address of the external machine in its logs.
>>>
>>>This is how my machines log that do this,  I use this type of entry in
>>>iptables:
>>>
>>>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to
>>>10.198.0.17
>>>
>>>P.
>>>
>>>
>>>Johnny Hughes wrote:
>>>
>>>      
>>>
>>>>On Thu, 2005-05-19 at 21:08 +0800, Mark Quitoriano wrote:
>>>>
>>>>
>>>>        
>>>>
>>>>>i'm having a problem viewing logs on forwarded ports from the firewall
>>>>>to another server, i forwarded mail(port 25) from the firewall to an
>>>>>internal server. The problem is when i try to view the logs it just
>>>>>shows the firewall ip as the sender and not the original sender.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>In reality, the firewall may be making the connection to the internal
>>>>server... and not the external machine.  Especially if the internal
>>>>server is on a 192.168.x.x or 10.x.x.x network and you are connecting
>>>>via NAT.  If that is the case, the external machine is connecting to the
>>>>firewall and the firewall is connecting to the internal server.
>>>>
>>>>
>>>>------------------------------------------------------------------------
>>>>
>>>>_______________________________________________
>>>>CentOS mailing list
>>>>CentOS at centos.org
>>>>http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>>
>>>>        
>>>>
>>>_______________________________________________
>>>CentOS mailing list
>>>CentOS at centos.org
>>>http://lists.centos.org/mailman/listinfo/centos
>>>
>>>      
>>>
>>    
>>
>>------------------------------------------------------------------------
>>
>>_______________________________________________
>>CentOS mailing list
>>CentOS at centos.org
>>http://lists.centos.org/mailman/listinfo/centos
>>    
>>