iptables SNAT/DNAT/FORWARD problems
Running the below rules on a firewall. 192.168.1.2 is an SMTP server
inside the firewall.
1. there is one smtp server on the internet that has a connection
timeout from the inside smtp server connecting on port 25.
Telnet host 25 also times out. direct connection from the firewall
works just fine. What could cause this?
2. Why are the last two -t mangle lines required? Removing them results
in failure of incoming connections to the smtp server. Why isn't the
DNAT line enough?
$PROG -t nat -A POSTROUTING -p tcp \
-o $NIC_EXTERNAL \
--dport smtp -s 192.168.1.2 \
-j LOG --log-level notice --log-prefix "TLOG_SMTP_OUTGOING: "
$PROG -t nat -A POSTROUTING -p tcp \
-o $NIC_EXTERNAL \
--dport smtp -s 192.168.1.2 \
-j SNAT --to-source $IP:25
$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
-s 0/0 --dport smtp \
-j DNAT --to-destination 192.168.1.2:25
$PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -t mangle -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \
-o $NIC_EXTERNAL -d 0/0 -p tcp \
-m state --state ESTABLISHED,RELATED -j ACCEPT
--
=================================================================
= Management is doing things right; leadership is doing the =
= right things. - Peter Drucker =
=_______________________________________________________________=
= http://www.sun.com/service/sunps/jdc/javacenter.pdf =
= www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone =
=================================================================
Reply to: