Hi, I have an DNAT ISSUE with PREROUTING. This is my setup. I have 2 firewalls running iptables. Pls asume 1.2.3.4/29 is the internet interace of FIRST firewall. 2.3.4.5/29 is the internet interface of SECOND firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 192.168.100.3 Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - 1.2.3.4/29) to the internet ip address ( 2.3.4.5/29) of SECOND firewall. That firewal DNATs port 25 to mail server @ 192.168.100.3 in DMZ zone. These are rules I have added. FIRST firewall (its internet ip address - 1.2.3.4/29) I have addes below rule. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 --dport 25 -j DNAT --to-destination 2.3.4.5:25 That should forward port 25 to SECOND firewall. in SECOND firewall, I have added 2 below rules. iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 --dport 25 -j DNAT --to-destination 192.168.100.3:25 iptables -A FORWARD -p tcp -d 192.168.100.3 --dport 25 -m state --state NEW -j ACCEPT Now, it should forward port 25 to mail server @ DMZ Zone. I think I have added these rules properly. But, It does not work. I checked from outside world . I telneted to port 25 of first firewaal. Then, It should forward to mail server @ DMZ zone. But, no responce. WHY is that? YOUR IDEAS? -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Indunil Jayasooriya wrote:> FIRST firewall (its internet ip address - 1.2.3.4/29 > <http://1.2.3.4/29>) I have addes below rule. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> > --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25> > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > have added 2 below rules. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5> > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > <http://192.168.100.3:25> > > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> > --dport 25 -m state --state NEW -j ACCEPTFirst run tcpdump* or the like on the smtp box to see that incoming packets arrive. If they don''t, see if they arrive on 2.3.4.5 etc. If they arrive at the destination see how much they go back (tcpdump on the firewall boxes). Btw, assuming both of your firewall boxes have similar iptables rulesets, shouldn''t the first one also have a -t filter -A FORWARD ... -j ACCEPT rule? Make sure you also have the ESTABLISHED,RELATED -j ACCEPT rules. And have you made sure that the smtp box accepts connections from anywhere? Is your MTA listening on the external interface? * - tcpdump -i eth0 port 25 Regards, -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/
On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:> > Indunil Jayasooriya wrote: > > FIRST firewall (its internet ip address - 1.2.3.4/29 > > <http://1.2.3.4/29>) I have addes below rule. > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> > > --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25> > > > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > > have added 2 below rules. > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5> > > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > > <http://192.168.100.3:25> > > > > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> > > --dport 25 -m state --state NEW -j ACCEPT > > First run tcpdump* or the like on the smtp box to see that incoming > packets arrive. If they don''t, see if they arrive on 2.3.4.5 etc. > > If they arrive at the destination see how much they go back (tcpdump on > the firewall boxes). > > Btw, assuming both of your firewall boxes have similar iptables > rulesets, shouldn''t the first one also have a -t filter -A FORWARD ... > -j ACCEPT rule?No filter rule has been speciied. Make sure you also have the ESTABLISHED,RELATED -j> ACCEPT rules. I have not added it to prerouting chain. I added just now. > Forward, input and output chains have it.And have you made sure that the smtp box accepts connections from> anywhere? it is behing my second firewall. it is @ DMZ ZONE. >YES, It accpets connections from any where. Let''s say, If I telnet to port 25 as bellow, telnet 2.3.4.5 25 it accepts, It works. Now what I need is that I want to telnet to first firewall, then, it will forward to second firewall, second firewall will forward to actual mail server. Is your MTA listening on the external interface? eth0 is the internet ip of firewall. eth1 is connected to mail server.> > * - tcpdump -i eth0 port 25 > > Regards, > > -- > Aleksander Kamenik > system administrator > +372 6659 649 > aleksander@krediidiinfo.ee > > Krediidiinfo AS > http://www.krediidiinfo.ee/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >-- Thank you Indunil Jayasooriya _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Indunil Jayasooriya wrote:> > I have not added it to prerouting chain. I added just > now. Forward, input and output chains have it.PREROUTING must not have it. Only the three filter chains and only if you use the state machine.> telnet 2.3.4.5 <http://2.3.4.5> 25 > > it accepts, It works. >OK, so DNAT at the second firewall works already. I missed that.> Now what I need is that I want to telnet to first firewall, then, it > will forward to second firewall, second firewall will forward to actual > mail server.Yes I got that. Anyway, it''s hard to guess without seeing all the rules of the first firewall. Do any other DNAT''s at the first firewall work already? Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1". Oh, and by the way. I assumed your routing is in place. Is the the second firewalls default route (gateway) the first firewall? You can look at it with "ip route list | grep default". If 1.2.3.4 and 2.3.4.5 are both external IP''s then it''s probably the problem. -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/
Indunil Jayasooriya ha scritto:> > Hi, > > I have an DNAT ISSUE with PREROUTING. > > This is my setup. > > I have 2 firewalls running iptables. > > Pls asume 1.2.3.4/29 is the internet interace of > FIRST firewall. > 2.3.4.5/29 is the internet interface of SECOND > firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ > 192.168.100.3 > > Now I want to DNAT port 25 of FISRT firewall ( i.e - its ip address - > 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29 > ) of SECOND firewall. That firewal DNATs port 25 to > mail server @ 192.168.100.3 in DMZ zone. > > These are rules I have added. > > FIRST firewall (its internet ip address - 1.2.3.4/29 > ) I have addes below rule. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> > --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25> > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > have added 2 below rules. > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5> > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > <http://192.168.100.3:25> > > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> > --dport 25 -m state --state NEW -j ACCEPT > > Now, it should forward port 25 to mail server @ DMZ Zone. > > I think I have added these rules properly. But, It does not work. > > I checked from outside world . I telneted to port 25 of first firewaal. > Then, It should forward to mail server @ DMZ zone. > But, no responce. > > WHY is that? > > YOUR IDEAS? >May it be a problem of SNAT? I try to explain my guess: FW1: firewall at 1.2.3.4 FW2: firewall at 2.3.4.5 SRV: mail server at 192.168.100.3 I telnet FW1 on port 25 from a PC with ip address 4.5.6.7. FW1 forwards the connection to FW2. FW2 forwards the connection to SRV. SRV now receive packets from 4.5.6.7 and sends packets back to that address. I think that the connection shall fail if those packets on their way to 4.5.6.7 get ''snat-ted'' to an address different from 1.2.3.4. Apologies for my poor English !> -- > Thank you > Indunil JayasooriyaYou''re welcome Riccardo Penco
On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:> > Indunil Jayasooriya wrote: > > > > I have not added it to prerouting chain. I added just > > now. Forward, input and output chains have it. > > PREROUTING must not have it. Only the three filter chains and only if > you use the state machine.NOTED> telnet 2.3.4.5 <http://2.3.4.5> 25 > > > > it accepts, It works. > > > > OK, so DNAT at the second firewall works already. I missed that. > > > Now what I need is that I want to telnet to first firewall, then, it > > will forward to second firewall, second firewall will forward to actual > > mail server. > > Yes I got that. > > Anyway, it''s hard to guess without seeing all the rules of the first > firewall. Do any other DNAT''s at the first firewall work already? > > Is forwading enabled? "cat /proc/sys/net/ipv4/ip_forward" should be "1". > > YES > > Oh, and by the way. I assumed your routing is in place. Is the the > second firewalls default route (gateway) the first firewall? > Oh yeah, This is the POINT. >SECOND Firewall''s default route (gateway) is NOT the FIRST firewall. BOTH firewall''s default route (gateway) is the router given by our ISP. I think this is the case.> > > If 1.2.3.4 and 2.3.4.5 are both external IP''s then it''s probably the > problem.YES, this is the ip block given by our ISP. I got 8 internet ips. But they all recide is the same subnet that is 255.255.255.248 Hope to hear from you. -- Thank you Indunil Jayasooriya _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Indunil Jayasooriya wrote:> SECOND Firewall''s default route (gateway) is NOT the FIRST firewall. > BOTH firewall''s default route (gateway) is the router given by our ISP.Ok, so you understand your problem now? Assuming the packet arrives at 1.2.3.4 from random external ip (eg. 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server sends a reply to the original sender 5.5.5.5. It does that via it''s default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your ISP''s gateway with it''s own address of 2.3.4.5 to 5.5.5.5. But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it. And that''s exactly what Riccardo said when I read his mail now. The first problem though is that I''m not sure the dnat form 1.2.3.4 to 2.3.4.5 works, the packet would have to leave via the same interface it came. Maybe this works, I''ve never tried that. Make sure packets arrive on the smtp box with tcpdump. As for the solution, one way would be to SNAT the connection at FW1, but this wwould cause the smtp box to see as if all the incoming connections are from 1.2.3.4 and not their real IP''s (5.5.5.5). Actually you should set up custom routing at 1.2.3.4 and not DNAT. You''d have to mark the packets and then send them to the 2.3.4.5 fw via a custom route. I''m not sure I could help you with that, never done any advanced routing. -- Aleksander Kamenik system administrator +372 6659 649 aleksander@krediidiinfo.ee Krediidiinfo AS http://www.krediidiinfo.ee/
On 9/25/07, Aleksander Kamenik <aleksander@krediidiinfo.ee> wrote:> > Indunil Jayasooriya wrote: > > > SECOND Firewall''s default route (gateway) is NOT the FIRST firewall. > > BOTH firewall''s default route (gateway) is the router given by our ISP. > > Ok, so you understand your problem now? > > Assuming the packet arrives at 1.2.3.4 from random external ip (eg. > 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again > dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server > sends a reply to the original sender 5.5.5.5. It does that via it''s > default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your > ISP''s gateway with it''s own address of 2.3.4.5 to 5.5.5.5. > > But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.YES, I got it. And that''s exactly what Riccardo said when I read his mail now.> > The first problem though is that I''m not sure the dnat form 1.2.3.4 to > 2.3.4.5 works, the packet would have to leave via the same interface it > came. Maybe this works, I''ve never tried that. Make sure packets arrive > on the smtp box with tcpdump. > > As for the solution, one way would be to SNAT the connection at FW1, but > this wwould cause the smtp box to see as if all the incoming connections > are from 1.2.3.4 and not their real IP''s (5.5.5.5). > > Actually you should set up custom routing at 1.2.3.4 and not DNAT. You''d > have to mark the packets and then send them to the 2.3.4.5 fw via a > custom route. I''m not sure I could help you with that, never done any > advanced routing.Thanks for your exellent help given so far. I will try with advanced routing. it is plicy routing? --> Aleksander Kamenik > system administrator > +372 6659 649 > aleksander@krediidiinfo.ee > > Krediidiinfo AS > http://www.krediidiinfo.ee/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >-- Thank you Indunil Jayasooriya _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc