Very Computer

> Hello,
>    I'm relatively new to linux and iptables. I'm running Redhat 8.0,
> iptables 1.2.6a, and using script for iptables created via a utility
> called gShield.  I'm trying to setup the linux box as a
> gateway/firewall for a small lan.  The linux box has 2 nics, one for
> the internal network and the other connected to the internet via a
> cable connection.  The gateway should also forward mail on port 25 to
> an internal w2k mail server.  After running the configuration script,
> I can browse the internet just fine from the internal network using
> the linux box as a gateway.  Port 25 is open and is forwarding to the
> windows box, but when I telnet to the linux box on port 25 I get a
> Connect failed message.  The mail server log shows that a connection
> was made then immediately dropped.  I can telnet to the internal mail
> server on the internal network, and also through another
> firewall/router that is connected to the internet via a T1 line.(The
> T1 is thru adelphia, now bankrupt, so we are switching to roadrunner).
>  Anyway, can anyone help?

> en,
>   you forward port 25 ---> the mail server.that is:
>     iptables -t nat -A PREROUTING -p tcp -d <your internal ip> --dport
> 25 -j DNAT --to <mail server>
>     DNAT ONLY change the dst ip,and when the mail server ACK the
> packet,it will return to the original src ip(the mail client).of
> course,it will failed.

> >en,
> >  you forward port 25 ---> the mail server.that is:
> >    iptables -t nat -A PREROUTING -p tcp -d  --dport
> >25 -j DNAT --to
> >    DNAT ONLY change the dst ip,and when the mail server ACK the
> >packet,it will return to the original src ip(the mail client).of
> >course,it will failed.

> Not true. In the OP's case the Linux box is service as the default gateway
> for the lan. When a connection is made through the Linux box the firewall
> takes the packet and changes the destination to go to the mail server. The
> mail server then does its thing and tries to reply to the src IP.
> Since the
> linux box is the default router the packet then hits the linux box.
> Because
> you did a DNAT the linux box sees this packet as being a reply and alters
> the source of the packet and then forwards it on its merry way. So in this
> case SNAT is not needed.

> >   so,you need do SNAT too.

> >    iptables -t nat -A POSTROUTING -m conntrack --ctstate DNAT -j SNAT
> >--to
> >   that's mean,if a packet was done by DNAT ,then we also SNAT it.

> The only time that SNAT is needed in conjunction with DNAT is when we know
> the reply packet is going to be misdirected. In other words if the linux
> box is not the default gateway. The NAT howto has examples of this at
> http://www.iptables.org

> Scott

> but,you see,the clients and the mail server are in the same subnetwork.
> PS:
> sorry, i explained it not clearly,English is not my mother language

> >but,you see,the clients and the mail server are in the same subnetwork.

> >PS:
> >sorry, i explained it not clearly,English is not my mother language

> Don't worry about the English. It isn't bad...

> Rereading the original Poster's email about this, he doesn't mention the
> clients location. So, to overcome the language problem, I am going to try
> ascii art.

> Cable Modem <-------> (Ext interface) Linux firewall to NAT
>                                           (Internal Interface )
>                                                  ^
>                                                  | (LAN)
>                                            +------------+
>                                         Win2k          Desktop
>                                        mail server

> Any client on the local LAN (in this case the box named "Desktop") will be
> able to access the Win2k mailserver without accessing the firewall. It can
> just use the local LAN Ip address for it. Since it is on the same
> subnet it
> doesn't need the router.

> Any client coming in from the internet via the cable modem needs to
> come in
> through the firewall and the DNAT is used to route mail traffic to the
> Win2k server. For a packet to go back to the internet the linux box will
> see that it came from the mail server and that it belongs to an already
> existing connection. It will then accept the packet and change the source
> IP address so that when the client sees it, it actually appears to have
> come from the firewall... There is no need to do an SNAT.

> Does that make more sense?

> Scott

> thanks.
>   indeed,I know how DNAT and SNAT works,and when&where to use them.
>   anyway, although,SNAT is not needed in some situation(maybe the
> original email should be more clear :-) ), i think my solution will
> solve his problem. do you think so?

> > thanks.
> >   indeed,I know how DNAT and SNAT works,and when&where to use them.
> >   anyway, although,SNAT is not needed in some situation(maybe the
> > original email should be more clear :-) ), i think my solution will
> > solve his problem. do you think so?

> I agree the op should have been more clear on where the client is. Your
> solution will work, but in terms of firewalls and security, I am a firm
> believer in not putting a rule in where it isn't absolutely necessary just
> in case it opens a hole up somewhere and maybe makes things more confusing
> for future projects. But yeah...Your solution should work.

> Scott

> O.K.,
>     I've solved my problem.  I'm sorry if I did not explain the problem
> correctly. My situation is that I have to connections to the internet
right
> now.  A t1 line that is connected to the network via a router, and a cable
> connection that goes into a linux box.  The t1 router will be leaving, the
> linux box/cable connection will be staying, but before that happens I want
> to make sure that everything works.  So, when trying to telnet to the mail
> server through the linux box to see if everything was good, I forgot about
> the gateways for both my machine as well as the mail server.  I needed to
> switch the gateway of the mail server to the linux box, and the gateway of
> my workstation to the T1 router.  That way, as far as I can tell, the ip
> address coming into the linux firewall appeared to be a valid external
> address, as real mail would, and it worked just fine. Thanks for the
> responses.   -Dean

> > > thanks.
> > >   indeed,I know how DNAT and SNAT works,and when&where to use them.
> > >   anyway, although,SNAT is not needed in some situation(maybe the
> > > original email should be more clear :-) ), i think my solution will
> > > solve his problem. do you think so?

> > I agree the op should have been more clear on where the client is. Your
> > solution will work, but in terms of firewalls and security, I am a firm
> > believer in not putting a rule in where it isn't absolutely necessary
just
> > in case it opens a hole up somewhere and maybe makes things more
confusing
> > for future projects. But yeah...Your solution should work.

> > Scott

> >thanks.
> >  indeed,I know how DNAT and SNAT works,and when&where to use them.
> >  anyway, although,SNAT is not needed in some situation(maybe the
> >original email should be more clear :-) ), i think my solution will
> >solve his problem. do you think so?

> I agree the op should have been more clear on where the client is. Your
> solution will work, but in terms of firewalls and security, I am a firm
> believer in not putting a rule in where it isn't absolutely necessary just
> in case it opens a hole up somewhere and maybe makes things more confusing
> for future projects. But yeah...Your solution should work.

> Scott