[CentOS] iptables port forwarding

Fri May 20 03:17:23 UTC 2005
Mark Quitoriano <markquitoriano at gmail.com>

@ john et al

ei tnx guys i tried john's syntax and it work :) 

@peter
anyway the second one(where the snat is) why i put it in the script
because i thought i need to send back the packets to the firewall so
the firewall will send it back to the sender. But when i tired john's
syntax it sends back without the snat syntax. why is that?


On 5/19/05, Peter Farrow <peter at farrows.org> wrote:
> If you are doing it like this as you have indicated,
> 
> iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT
> --to-destination 10.0.0.1
> 
> iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx
> 
> 
> Then thats why your mail server logs the ip address of the firewall....
> because of the POSTROUTING  line above and the fact that you DNAT'ed to
> an ipaddress that you then SNAT'ed out onto the LAN.
> 
> Its no problem and expected that your mail server has a different IP to
> your firewall, in this case you will need to make sure that
> the. packets you've destination NAT'ed are allowed through the forward
> chain as Johnny Hughes has indicated below.
> 
> P.
> 
> 
> Johnny Hughes wrote:
> 
> >On Thu, 2005-05-19 at 21:44 +0800, Mark Quitoriano wrote:
> >
> >
> >>here's how i did mine
> >>
> >>
> >
> >
> >
> >>iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT
> >>--to-destination 10.0.0.1
> >>
> >>iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx
> >>
> >>because the firewall has different ip than my mail server
> >>
> >>
> >>
> >You are forwarding it twice
> >
> >Is 10.0.0.1 the internal interface of the firewall (that contains -d
> >xxx.xxx.xxx.xxx) or is it a seperate machine
> >
> >If it is on the same machine, try this (assuming you have a FORWARD rule
> >too):
> >
> >iptables -A FORWARD -i $EXTIF -p tcp  --dport 25 -m state \
> > --state NEW,ESTABLISHED,RELATED -j ACCEPT
> >
> >iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 \
> > -j DNAT --to xxx.xxx.xxx.xxx
> >
> >($EXTIF is the external insterface {eth0, eth1, etc.}, $EXTIP is the
> >external IP address)
> >
> >
> >
> >>On 5/19/05, Peter Farrow <peter at farrows.org> wrote:
> >>
> >>
> >>>If you're doing true port forwarding, the internal server should see the
> >>>ip address of the external machine in its logs.
> >>>
> >>>This is how my machines log that do this,  I use this type of entry in
> >>>iptables:
> >>>
> >>>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to
> >>>10.198.0.17
> >>>
> >>>P.
> >>>
> >>>
> >>>Johnny Hughes wrote:
> >>>
> >>>
> >>>
> >>>>On Thu, 2005-05-19 at 21:08 +0800, Mark Quitoriano wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>i'm having a problem viewing logs on forwarded ports from the firewall
> >>>>>to another server, i forwarded mail(port 25) from the firewall to an
> >>>>>internal server. The problem is when i try to view the logs it just
> >>>>>shows the firewall ip as the sender and not the original sender.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>In reality, the firewall may be making the connection to the internal
> >>>>server... and not the external machine.  Especially if the internal
> >>>>server is on a 192.168.x.x or 10.x.x.x network and you are connecting
> >>>>via NAT.  If that is the case, the external machine is connecting to the
> >>>>firewall and the firewall is connecting to the internal server.
> >>>>
> >>>>
> >>>>------------------------------------------------------------------------
> >>>>
> >>>>_______________________________________________
> >>>>CentOS mailing list
> >>>>CentOS at centos.org
> >>>>http://lists.centos.org/mailman/listinfo/centos
> >>>>
> >>>>
> >>>>
> >>>>
> >>>_______________________________________________
> >>>CentOS mailing list
> >>>CentOS at centos.org
> >>>http://lists.centos.org/mailman/listinfo/centos
> >>>
> >>>
> >>>
> >>
> >>
> >>------------------------------------------------------------------------
> >>
> >>_______________________________________________
> >>CentOS mailing list
> >>CentOS at centos.org
> >>http://lists.centos.org/mailman/listinfo/centos
> >>
> >>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 


-- 
Regards,
Mark Quitoriano, CCNA
http://www.atamanetworks.com