[CentOS] DNAT PREROUTING issue with iptables

Alain Spineux aspineux at gmail.com
Tue Sep 25 12:46:06 UTC 2007


Without all the rules, it's not easy to reply.
Your NAT rules looks fine but some filter are missing (I thing).  FW1
should also accept to FORWARD port 25

If you use rules including --state NEW, you must have other rules like

iptables -t filter -A INPUT/FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT


The best way for you is to troubleshot you firewalls using tcpdump.
Open 2 terminal on each of your firewall, run
# tcpdump -n -i eth0 port 25
and
# tcpdump -n -i eth1 port 25

Then make some telnet on port 25 to understand what is happening.
Verify packet are going through your firewall and their are well NAT
and DNAT.


On 9/25/07, Indunil Jayasooriya <indunil75 at gmail.com> wrote:
> Hi,
>
> I have an DNAT ISSUE with PREROUTING.
>
> This is my setup.
>
> I have 2 firewalls running iptables.
>
> Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall.
> 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in
> that DMZ zone, mail server runnig @ 192.168.100.3
>
> Now I want to DNAT port 25 of FISRT firewall ( i.e  -  its ip address -
> 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall.
> That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone.
>
> These are rules I have added.
>
> FIRST firewall (its internet ip address - 1.2.3.4/29) I have addes below
> rule.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT
> --to-destination 2.3.4.5:25
>
> That should forward port 25 to SECOND firewall. in SECOND firewall, I have
> added 2 below rules.
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT
> --to-destination 192.168.100.3:25
>
> iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW
> -j ACCEPT
>
> Now, it should forward port 25  to  mail server  @  DMZ Zone.
>
> I think I have added these rules properly. But, It does not work.
>
> I checked from outside world . I telneted to port 25 of first firewaal.
> Then, It should forward to mail server @ DMZ zone.
> But, no responce.
>
> WHY is that?
>
> YOUR IDEAS?
>
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>


-- 
Alain Spineux
aspineux gmail com
May the sources be with you



More information about the CentOS mailing list