iptables smtp port forwarding problem

iptables smtp port forwarding problem

Post by Dean Hil » Thu, 19 Dec 2002 22:34:51



Hello,
   I'm relatively new to linux and iptables. I'm running Redhat 8.0,
iptables 1.2.6a, and using script for iptables created via a utility
called gShield.  I'm trying to setup the linux box as a
gateway/firewall for a small lan.  The linux box has 2 nics, one for
the internal network and the other connected to the internet via a
cable connection.  The gateway should also forward mail on port 25 to
an internal w2k mail server.  After running the configuration script,
I can browse the internet just fine from the internal network using
the linux box as a gateway.  Port 25 is open and is forwarding to the
windows box, but when I telnet to the linux box on port 25 I get a
Connect failed message.  The mail server log shows that a connection
was made then immediately dropped.  I can telnet to the internal mail
server on the internal network, and also through another
firewall/router that is connected to the internet via a T1 line.(The
T1 is thru adelphia, now bankrupt, so we are switching to roadrunner).
 Anyway, can anyone help?
 
 
 

iptables smtp port forwarding problem

Post by SimenKin » Thu, 19 Dec 2002 22:51:29



> Hello,
>    I'm relatively new to linux and iptables. I'm running Redhat 8.0,
> iptables 1.2.6a, and using script for iptables created via a utility
> called gShield.  I'm trying to setup the linux box as a
> gateway/firewall for a small lan.  The linux box has 2 nics, one for
> the internal network and the other connected to the internet via a
> cable connection.  The gateway should also forward mail on port 25 to
> an internal w2k mail server.  After running the configuration script,
> I can browse the internet just fine from the internal network using
> the linux box as a gateway.  Port 25 is open and is forwarding to the
> windows box, but when I telnet to the linux box on port 25 I get a
> Connect failed message.  The mail server log shows that a connection
> was made then immediately dropped.  I can telnet to the internal mail
> server on the internal network, and also through another
> firewall/router that is connected to the internet via a T1 line.(The
> T1 is thru adelphia, now bankrupt, so we are switching to roadrunner).
>  Anyway, can anyone help?

en,
  you forward port 25 ---> the mail server.that is:
    iptables -t nat -A PREROUTING -p tcp -d <your internal ip> --dport
25 -j DNAT --to <mail server>
    DNAT ONLY change the dst ip,and when the mail server ACK the
packet,it will return to the original src ip(the mail client).of
course,it will failed.

   so,you need do SNAT too.

    iptables -t nat -A POSTROUTING -m conntrack --ctstate DNAT -j SNAT
--to <your internal ip>
   that's mean,if a packet was done by DNAT ,then we also SNAT it.

enjoy. :-)

 
 
 

iptables smtp port forwarding problem

Post by scot » Thu, 19 Dec 2002 22:55:00



> en,
>   you forward port 25 ---> the mail server.that is:
>     iptables -t nat -A PREROUTING -p tcp -d <your internal ip> --dport
> 25 -j DNAT --to <mail server>
>     DNAT ONLY change the dst ip,and when the mail server ACK the
> packet,it will return to the original src ip(the mail client).of
> course,it will failed.

Not true. In the OP's case the Linux box is service as the default gateway
for the lan. When a connection is made through the Linux box the firewall
takes the packet and changes the destination to go to the mail server. The
mail server then does its thing and tries to reply to the src IP. Since the
linux box is the default router the packet then hits the linux box. Because
you did a DNAT the linux box sees this packet as being a reply and alters
the source of the packet and then forwards it on its merry way. So in this
case SNAT is not needed.

Quote:>    so,you need do SNAT too.
>     iptables -t nat -A POSTROUTING -m conntrack --ctstate DNAT -j SNAT
> --to <your internal ip>
>    that's mean,if a packet was done by DNAT ,then we also SNAT it.

The only time that SNAT is needed in conjunction with DNAT is when we know
the reply packet is going to be misdirected. In other words if the linux
box is not the default gateway. The NAT howto has examples of this at
http://www.iptables.org

Scott

 
 
 

iptables smtp port forwarding problem

Post by SimenKin » Thu, 19 Dec 2002 23:14:26




> >en,
> >  you forward port 25 ---> the mail server.that is:
> >    iptables -t nat -A PREROUTING -p tcp -d  --dport
> >25 -j DNAT --to
> >    DNAT ONLY change the dst ip,and when the mail server ACK the
> >packet,it will return to the original src ip(the mail client).of
> >course,it will failed.

> Not true. In the OP's case the Linux box is service as the default gateway
> for the lan. When a connection is made through the Linux box the firewall
> takes the packet and changes the destination to go to the mail server. The
> mail server then does its thing and tries to reply to the src IP.
> Since the
> linux box is the default router the packet then hits the linux box.
> Because
> you did a DNAT the linux box sees this packet as being a reply and alters
> the source of the packet and then forwards it on its merry way. So in this
> case SNAT is not needed.

> >   so,you need do SNAT too.

> >    iptables -t nat -A POSTROUTING -m conntrack --ctstate DNAT -j SNAT
> >--to
> >   that's mean,if a packet was done by DNAT ,then we also SNAT it.

> The only time that SNAT is needed in conjunction with DNAT is when we know
> the reply packet is going to be misdirected. In other words if the linux
> box is not the default gateway. The NAT howto has examples of this at
> http://www.iptables.org

> Scott

but,you see,the clients and the mail server are in the same subnetwork.

PS:
sorry, i explained it not clearly,English is not my mother language

^-^

 
 
 

iptables smtp port forwarding problem

Post by scot » Fri, 20 Dec 2002 01:20:48



> but,you see,the clients and the mail server are in the same subnetwork.
> PS:
> sorry, i explained it not clearly,English is not my mother language

Don't worry about the English. It isn't bad...

Rereading the original Poster's email about this, he doesn't mention the
clients location. So, to overcome the language problem, I am going to try
ascii art.

Cable Modem <-------> (Ext interface) Linux firewall to NAT
                                          (Internal Interface )
                                                 ^
                                                 | (LAN)
                                           +------------+
                                        Win2k          Desktop
                                       mail server

Any client on the local LAN (in this case the box named "Desktop") will be
able to access the Win2k mailserver without accessing the firewall. It can
just use the local LAN Ip address for it. Since it is on the same subnet it
doesn't need the router.

Any client coming in from the internet via the cable modem needs to come in
through the firewall and the DNAT is used to route mail traffic to the
Win2k server. For a packet to go back to the internet the linux box will
see that it came from the mail server and that it belongs to an already
existing connection. It will then accept the packet and change the source
IP address so that when the client sees it, it actually appears to have
come from the firewall... There is no need to do an SNAT.

Does that make more sense?

Scott

 
 
 

iptables smtp port forwarding problem

Post by SimenKin » Fri, 20 Dec 2002 01:58:35




> >but,you see,the clients and the mail server are in the same subnetwork.

> >PS:
> >sorry, i explained it not clearly,English is not my mother language

> Don't worry about the English. It isn't bad...

> Rereading the original Poster's email about this, he doesn't mention the
> clients location. So, to overcome the language problem, I am going to try
> ascii art.

> Cable Modem <-------> (Ext interface) Linux firewall to NAT
>                                           (Internal Interface )
>                                                  ^
>                                                  | (LAN)
>                                            +------------+
>                                         Win2k          Desktop
>                                        mail server

> Any client on the local LAN (in this case the box named "Desktop") will be
> able to access the Win2k mailserver without accessing the firewall. It can
> just use the local LAN Ip address for it. Since it is on the same
> subnet it
> doesn't need the router.

> Any client coming in from the internet via the cable modem needs to
> come in
> through the firewall and the DNAT is used to route mail traffic to the
> Win2k server. For a packet to go back to the internet the linux box will
> see that it came from the mail server and that it belongs to an already
> existing connection. It will then accept the packet and change the source
> IP address so that when the client sees it, it actually appears to have
> come from the firewall... There is no need to do an SNAT.

> Does that make more sense?

> Scott

thanks.
  indeed,I know how DNAT and SNAT works,and when&where to use them.
  anyway, although,SNAT is not needed in some situation(maybe the
original email should be more clear :-) ), i think my solution will
solve his problem. do you think so?

SimenKing.

 
 
 

iptables smtp port forwarding problem

Post by scot » Fri, 20 Dec 2002 02:10:43



> thanks.
>   indeed,I know how DNAT and SNAT works,and when&where to use them.
>   anyway, although,SNAT is not needed in some situation(maybe the
> original email should be more clear :-) ), i think my solution will
> solve his problem. do you think so?

I agree the op should have been more clear on where the client is. Your
solution will work, but in terms of firewalls and security, I am a firm
believer in not putting a rule in where it isn't absolutely necessary just
in case it opens a hole up somewhere and maybe makes things more confusing
for future projects. But yeah...Your solution should work.

Scott

 
 
 

iptables smtp port forwarding problem

Post by Dean Hil » Fri, 20 Dec 2002 02:30:48


O.K.,
    I've solved my problem.  I'm sorry if I did not explain the problem
correctly. My situation is that I have to connections to the internet right
now.  A t1 line that is connected to the network via a router, and a cable
connection that goes into a linux box.  The t1 router will be leaving, the
linux box/cable connection will be staying, but before that happens I want
to make sure that everything works.  So, when trying to telnet to the mail
server through the linux box to see if everything was good, I forgot about
the gateways for both my machine as well as the mail server.  I needed to
switch the gateway of the mail server to the linux box, and the gateway of
my workstation to the T1 router.  That way, as far as I can tell, the ip
address coming into the linux firewall appeared to be a valid external
address, as real mail would, and it worked just fine. Thanks for the
responses.   -Dean



> > thanks.
> >   indeed,I know how DNAT and SNAT works,and when&where to use them.
> >   anyway, although,SNAT is not needed in some situation(maybe the
> > original email should be more clear :-) ), i think my solution will
> > solve his problem. do you think so?

> I agree the op should have been more clear on where the client is. Your
> solution will work, but in terms of firewalls and security, I am a firm
> believer in not putting a rule in where it isn't absolutely necessary just
> in case it opens a hole up somewhere and maybe makes things more confusing
> for future projects. But yeah...Your solution should work.

> Scott

 
 
 

iptables smtp port forwarding problem

Post by Dean Hil » Fri, 20 Dec 2002 02:32:28


oops...
My situation is that I have (two) connections to the internet right now.


> O.K.,
>     I've solved my problem.  I'm sorry if I did not explain the problem
> correctly. My situation is that I have to connections to the internet
right
> now.  A t1 line that is connected to the network via a router, and a cable
> connection that goes into a linux box.  The t1 router will be leaving, the
> linux box/cable connection will be staying, but before that happens I want
> to make sure that everything works.  So, when trying to telnet to the mail
> server through the linux box to see if everything was good, I forgot about
> the gateways for both my machine as well as the mail server.  I needed to
> switch the gateway of the mail server to the linux box, and the gateway of
> my workstation to the T1 router.  That way, as far as I can tell, the ip
> address coming into the linux firewall appeared to be a valid external
> address, as real mail would, and it worked just fine. Thanks for the
> responses.   -Dean




> > > thanks.
> > >   indeed,I know how DNAT and SNAT works,and when&where to use them.
> > >   anyway, although,SNAT is not needed in some situation(maybe the
> > > original email should be more clear :-) ), i think my solution will
> > > solve his problem. do you think so?

> > I agree the op should have been more clear on where the client is. Your
> > solution will work, but in terms of firewalls and security, I am a firm
> > believer in not putting a rule in where it isn't absolutely necessary
just
> > in case it opens a hole up somewhere and maybe makes things more
confusing
> > for future projects. But yeah...Your solution should work.

> > Scott

 
 
 

iptables smtp port forwarding problem

Post by SimenKin » Fri, 20 Dec 2002 13:31:50




> >thanks.
> >  indeed,I know how DNAT and SNAT works,and when&where to use them.
> >  anyway, although,SNAT is not needed in some situation(maybe the
> >original email should be more clear :-) ), i think my solution will
> >solve his problem. do you think so?

> I agree the op should have been more clear on where the client is. Your
> solution will work, but in terms of firewalls and security, I am a firm
> believer in not putting a rule in where it isn't absolutely necessary just
> in case it opens a hole up somewhere and maybe makes things more confusing
> for future projects. But yeah...Your solution should work.

> Scott

yeah,you are right.
In that case,the mail server will never know where the clients are
coming from.
 
 
 

1. iptables smtp port forwarding problem`

Hello,
   I'm relatively new to linux and iptables. I'm running Redhat 8.0,
iptables 1.2.6a, and using script for iptables created via a utility
called gShield.  I'm trying to setup the linux box as a
gateway/firewall for a small lan.  The linux box has 2 nics, one for
the internal network and the other connected to the internet via a
cable connection.  The gateway should also forward mail on port 25 to
an internal w2k mail server.  After running the configuration script,
I can browse the internet just fine from the internal network using
the linux box as a gateway.  Port 25 is open and is forwarding to the
windows box, but when I telnet to the linux box on port 25 I get a
Connect failed message.  The mail server log shows that a connection
was made then immediately dropped.  I can telnet to the internal mail
server on the internal network, and also through another
firewall/router that is connected to the internet via a T1 line.(The
T1 is thru adelphia, now bankrupt, so we are switching to roadrunner).
 Anyway, can anyone help?

2. Minor device number for 2.88 floppy

3. Forwarding smtp to another machine with iptables and securing telnet on port 25

4. Question about Radeon 9200SE and SUSE 9 (kernel)

5. IPTABLES forwarding smtp problem ?

6. SRPMS<--Like tar.gz?

7. IPTables and a simple script to port forward port 80

8. XWindows and Slimnote 9

9. Iptables smtp forwarding

10. iptables port forwarding problem

11. Iptables port forwarding problem

12. Problems iptable port forwarding

13. iptables port forwarding problem