IP alias and port forwarding - packets die at external interface
Hello list,
I'm trying to set up my first DMZ using a woody gateway with 3 interface
cards. One for the external interface, one for the DMZ, and one for the
(as yet non-existent) internal LAN.
I have 5 static IP's, and have assigned 3 of them as eth0, eth0:1, and
eth0:2 in /etc/network/interfaces. Now I want to forward incoming SMTP
and DNS traffic to DMZ machines based on destination IP. This seems to
work fine for the SMTP traffic, but incoming DNS requests just die at
the external interface. They are not being killed by other iptables
rules. It's just as if that interface isn't "really" listening to that
IP. Why it works for one and not the other is beyond me. I fear I'm
missing something basic, but I just can't see it. Any help is very much
appreciated.
BTW I'm using a Debian 2.4.18-14 kernel with Debian's freeswan patch.
Here are the details.
iptables rules . . .
EXT_IF="eth0"
DMZ_IF="eth1"
LAN_IF="eth2"
EXT_IP="66.224.xxx.118"
EXT_DNSIP="66.224.xxx.117"
EXT_SMTPIP="66.224.xxx.116"
DNS_SRV="192.168.5.2"
SMTP_SRV="192.168.5.3"
# PREROUTING SMTP
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp -d $EXT_SMTPIP --dport
25:25 -j DNAT --to $SMTP_SRV:25
# PREROUTING DNS
$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp -d $EXT_DNSIP --dport
53 -j DNAT --to-destination $DNS_SRV:53
# FORWARD SMTP
$IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -p tcp -d $SMTP_SRV --dport
25:25 -j ACCEPT
# FORWARD DNS
$IPTABLES -A FORWARD -i $EXT_IF -o $DMZ_IF -p udp -d $DNS_SRV --dport
53:53 -j ACCEPT
# POSTROUTING - SNAT to EXT_IP
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to 66.224.xxx.118
Output of ifconfig . . .
eth0 Link encap:Ethernet HWaddr 00:90:27:23:AC:F9
inet addr:66.224.xxx.118 Bcast:66.224.xxx.119
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:65 errors:0 dropped:0 overruns:0 frame:0
TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:7006 (6.8 KiB) TX bytes:6859 (6.6 KiB)
Interrupt:10 Base address:0x1000
eth0:1 Link encap:Ethernet HWaddr 00:90:27:23:AC:F9
inet addr:66.224.xxx.117 Bcast:66.255.255.255
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x1000
eth0:2 Link encap:Ethernet HWaddr 00:90:27:23:AC:F9
inet addr:66.224.xxx.116 Bcast:66.255.255.255
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x1000
eth1 Link encap:Ethernet HWaddr 00:A0:C9:F0:68:2C
inet addr:192.168.5.1 Bcast:192.168.50.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:607 (607.0 b) TX bytes:420 (420.0 b)
Interrupt:11 Base address:0x3000
eth2 Link encap:Ethernet HWaddr 00:50:BA:53:F6:F8
inet addr:192.168.6.1 Bcast:192.168.60.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:12 Base address:0xc000
ipsec0 Link encap:Ethernet HWaddr 00:90:27:23:AC:F9
inet addr:66.224.xxx.118 Mask:255.255.255.248
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:0
TX packets:24 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1648 (1.6 KiB) TX bytes:1648 (1.6 KiB)
Reply to: