[CentOS] iptables nat PREROUTING chain

Tue Feb 14 22:39:44 UTC 2012
Nataraj <incoming-centos at rjl.com>

On 02/14/2012 01:28 PM, Robert Spangler wrote:
> On Tuesday 14 February 2012 15:21, the following was written:
>>  Is there a way to add a rule to the nat table (CentOS 5.7) that would
>>  alter the port number of tcp packets destined for the server itself?  I
>>  have ip_forwarding enabled, but the packets don't seem to hit the
>>  prerouting chain.
>>  I have the following redirect rule in the prerouting table.  I also
>>  tried DNAT, but if the packets don't hit PREROUTING, it won't work either.
>>  iptables -t nat -L -v -n
>>  Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes)
>>   pkts bytes target     prot opt in     out     source              
>> destination 0     0 REDIRECT   tcp  --  *      *       
>>           tcp dpt:25 redir ports 12345
>>  aspen 2# cat /proc/sys/net/ipv4/ip_forward
>>  1
> Where are you applying this rule?  On a firewall or on the SMTP server itself?
> If the firewall then you need to use DNAT
> Example:
> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j DNAT --to-destination 
> <Server IP>:<Port>
> If you only want this to happen on the inside of the firewall then you are 
> also going to have to include the interface you want this rule to apply to.
> If it is on the SMTP server itself then you don't need forward to be turned on 
> and you need to use REDIRECT
> Example:
> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j REDIRECT --to-ports 
> <Port>
> Also make sure no other rule is filtering the packets before this rule because 
> if the packets are altered then this rule will never be used.
Thank you.  You've confirmed that the redirect that I have should work. 
I think I know what the problem is now.  I have the NOTRACK bit set for
incoming packets on port 25, so maybe those packets don't hit the nat
PREROUTING table.  I did that because spambot attacks were causing
resource exhaustion problems in the kernel when it was tracking all of
the connections.

I don't really know how to do what I want to do other than increasing
the resource on the server so it could sustain a spambot attack while
tracking the connection.  If you have any ideas it would be appreciated.

What I am trying to do is to change my external SMTP port so that it
does not allow relaying or authentication and move all of the relay
clients to a submission port.  The idea is to rewrite the port on
connections coming from the internal network so we don't have to require
all of the internal clients to reconfigure their mail clients.