iptables problem - trying to DNAT smtp

iptables problem - trying to DNAT smtp

Post by Tim Sampso » Thu, 22 Aug 2002 00:27:07



Hello

I asked this recently, but I think I really need to explain the problem more
fully.

I a Linux box with a public IP addresses and an NT box doing SMTP on the
private subnet. I want SMTP traffic that comes from the internet to the
Linux box to be forwarded to the NT box and for the NT box to be able to
respond (ie I should be able to telnet port 25 on the Linux box and actually
chat to NT).

I have tried something like this:

iptables -A FORWARD -i $EXTIF -p tcp --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 25 -j DNAT --to
$SMTPIP

Now if $SMTPIP is an external SMTP server, it works, but if $SMTPIP is my NT
box, there is no reply. Unfortunately, the NT box does not use Linux as it's
gateway to the internet and I think this is where the complication lies. I
think the following is happening with the above rules:

1. Packet with public IP source arrives at EXTIF
2. Linux sends packet with public IP source to NT
3. NT dials internet and responds to public IP
4. Public IP machine wonders why NT box is talking to it

So, I tried adding this

iptables -t nat -A POSTROUTING -o $INTIF -p tcp --sport 25 -j SNAT $INTIP

That's as far as I have got (it didn't work).

Does anyone see what's going on here? Can you help?

Cheers
Tim S

 
 
 

iptables problem - trying to DNAT smtp

Post by Jeroen Geilma » Thu, 22 Aug 2002 22:48:38



Quote:> Hello

> I asked this recently, but I think I really need to explain the problem
more
> fully.

> I a Linux box with a public IP addresses and an NT box doing SMTP on the
> private subnet. I want SMTP traffic that comes from the internet to the
> Linux box to be forwarded to the NT box and for the NT box to be able to
> respond (ie I should be able to telnet port 25 on the Linux box and
actually
> chat to NT).

> I have tried something like this:

> iptables -A FORWARD -i $EXTIF -p tcp --dport 25 -j ACCEPT
> iptables -t nat -A PREROUTING -i $EXTIF -p tcp --dport 25 -j DNAT --to
> $SMTPIP

> Now if $SMTPIP is an external SMTP server, it works, but if $SMTPIP is my
NT
> box, there is no reply.

No, but does the traffic get to the NT box ? Check this on the SMTP
server...

Quote:> Unfortunately, the NT box does not use Linux as it's
> gateway to the internet

Impossible.
If the NT box uses another route to the net, then you should either
configure the gateway for *that* route to forward SMTP traffic to the NT
box, or you should switch the NT box over to use the Linux box as its
default gateway.

Quote:> and I think this is where the complication lies. I
> think the following is happening with the above rules:

> 1. Packet with public IP source arrives at EXTIF
> 2. Linux sends packet with public IP source to NT
> 3. NT dials internet and responds to public IP
> 4. Public IP machine wonders why NT box is talking to it

Yes obviously - so WHY do you do this ?

The NT box needs to *dial* the internet you say - whlie you have a permanent
connection through the Linux box ??!!!

You have me dazed & confused, sir..

Quote:> So, I tried adding this

> iptables -t nat -A POSTROUTING -o $INTIF -p tcp --sport 25 -j SNAT $INTIP

> That's as far as I have got (it didn't work).

No - sending requests through one route and expecting replies via another
route is more trouble than it's worth...

Quote:> Does anyone see what's going on here? Can you help?

Yes - see my first remark.

HTH

 
 
 

iptables problem - trying to DNAT smtp

Post by The Sampson » Fri, 23 Aug 2002 04:15:13



Quote:> > Now if $SMTPIP is an external SMTP server, it works, but if $SMTPIP is
my
> NT
> > box, there is no reply.

> No, but does the traffic get to the NT box ? Check this on the SMTP
> server...

Linux is able to telnet port 25 on the NT box and get a reply. I'm not sure
how to check on the NT box whether packets have arrived or not - any ideas?

Quote:> If the NT box uses another route to the net, then you should either
> configure the gateway for *that* route to forward SMTP traffic to the NT
> box, or you should switch the NT box over to use the Linux box as its
> default gateway.

What I didn't mention was that it still didn't work when I changed the
gateway to be the Linux box.

Quote:> > 4. Public IP machine wonders why NT box is talking to it

> Yes obviously - so WHY do you do this ?

I'm glad it's obvious, that confirms my thinking. It's because I want to get
the mail forwarding in place before I commit to using Linux as the gateway.
Currently NT connects through an ISDN router and the (other) ISP notices
it's appearance and feeds mail. If I use Linux as the gateway, I lose my
mailfeed.

Quote:> The NT box needs to *dial* the internet you say - whlie you have a
permanent
> connection through the Linux box ??!!!

> You have me dazed & confused, sir..

See above, sir.

Quote:> No - sending requests through one route and expecting replies via another
> route is more trouble than it's worth...

But surely it's possible?

Thanks
Tim S

 
 
 

iptables problem - trying to DNAT smtp

Post by Jeroen Geilma » Fri, 23 Aug 2002 07:21:52





> > > Now if $SMTPIP is an external SMTP server, it works, but if $SMTPIP is
> my
> > NT
> > > box, there is no reply.

> > No, but does the traffic get to the NT box ? Check this on the SMTP
> > server...

> Linux is able to telnet port 25 on the NT box and get a reply. I'm not
sure
> how to check on the NT box whether packets have arrived or not - any

ideas?

They have and it works - telnetting to port 25 starts a normal SMTP session
as far as the mail server is concerned...

Quote:> > If the NT box uses another route to the net, then you should either
> > configure the gateway for *that* route to forward SMTP traffic to the NT
> > box, or you should switch the NT box over to use the Linux box as its
> > default gateway.

> What I didn't mention was that it still didn't work when I changed the
> gateway to be the Linux box.

No but THAT's not surprising - how do you think your ISP determines that it
needs to feed your NT box with your mail ?
This is always IP-based - and the route to the net through the Linux box is
unknown to the other ISP, so it won't work...
You also have to either switch mail deliveries to the other ISP OR convince
the original ISP to allow you to get mail through the other connection from
them...

Quote:> > > 4. Public IP machine wonders why NT box is talking to it

> > Yes obviously - so WHY do you do this ?

> I'm glad it's obvious, that confirms my thinking. It's because I want to
get
> the mail forwarding in place before I commit to using Linux as the
gateway.
> Currently NT connects through an ISDN router and the (other) ISP notices
> it's appearance and feeds mail. If I use Linux as the gateway, I lose my
> mailfeed.

> > The NT box needs to *dial* the internet you say - whlie you have a
> permanent
> > connection through the Linux box ??!!!

> > You have me dazed & confused, sir..

> See above, sir.

Yes - I saw ;-)

Quote:> > No - sending requests through one route and expecting replies via
another
> > route is more trouble than it's worth...

> But surely it's possible?

This is Linux - EVERYTHING is possible

You *could* try NATting and tunneling the incoming mail through your LAN to
the Linux box and letting it handle everything from there...

Or probably a dozen other solutions, too.

My comment stands: more trouble than it's worth - just make the switch.

 
 
 

iptables problem - trying to DNAT smtp

Post by The Sampson » Fri, 23 Aug 2002 16:20:10



Quote:> They have and it works - telnetting to port 25 starts a normal SMTP
session
> as far as the mail server is concerned...

Yes, but when I try DNATing, it doesn't work, so how can I check if those
packets hit the NT box?

Quote:> > What I didn't mention was that it still didn't work when I changed the
> > gateway to be the Linux box.

> No but THAT's not surprising - how do you think your ISP determines that
it
> needs to feed your NT box with your mail ?

I'm testing the process by telnetting the Linux box on port 25, I'm not
expecting the mailfeed to work yet.

Quote:> My comment stands: more trouble than it's worth - just make the switch.

Yes, you are probably right. I'm still left wondering why it doesn't work
with the gateway set correctly. I feel another post coming on....

Cheers
Tim S

 
 
 

iptables problem - trying to DNAT smtp

Post by The Sampson » Sat, 24 Aug 2002 03:28:55


As it happens, I was not allowing the outgoing stuff through in my FORWARD
chain. Strange, as I thought I had a catch all rule in there.

All set up now with the new gateway and mailfeed.

Thanks for the tips
Tim s

 
 
 

1. iptables, DNAT, and SMTP

Hello,

  I've been reading for a couple days now and my mind has gone numb.
I'm hoping to get some help from the community, and I'm sure I'm just
overlooking something very simple. My goal is to forward smtp traffic
destined for one machine to another based on source.

I have done this: echo 1 > /proc/sys/net/ipv4/ip_forward

I've enabled the loading of iptable_nat in the iptables config file.

This is the base of what I'm using in my /etc/sysconfig/iptables file.
Any direction on what I'm missing would be greatly appreciated.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52442:19228811]
COMMIT
*mangle
:PREROUTING ACCEPT [60986:54771131]
:INPUT ACCEPT [60982:54770891]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52445:19228943]
:POSTROUTING ACCEPT [52445:19228943]
COMMIT
*nat
:PREROUTING ACCEPT [1581:83538]
-A PREROUTING -s xxx.xxx.66.0/24 -i eth0 -p tcp -d xxx.xxx.64.3 --
dport 25 -j DNAT --to-destination xxx.xxx.65.15:25
:POSTROUTING ACCEPT [74:4438]
:OUTPUT ACCEPT [525:34512]
COMMIT

2. KDE and X- how does it work?

3. problems with iptables DNAT and blocking rules

4. Documentation of xmodmap

5. iptables DNAT problem from internal net

6. Wanted: a web-based events calendar

7. Problem with iptables/DNAT

8. Can SUN DNS server work with NT WINS server??

9. iptables, SNAT/DNAT, port forwarding problems.

10. iptables dnat port forwarding problems

11. Iptables, DNAT, Forwarding? problem...

12. IPTables DNAT Problem - source lo

13. problem with iptables DNAT? Please Help...