Re: Kicked me of self! :-/

To: debian-firewall@lists.debian.org
Cc: linux4michelle@tamay-dogan.net
Subject: Re: Kicked me of self! :-/
From: Markus Mueller <mailmarks@mailforce.net>
Date: Wed, 8 Apr 2009 12:58:00 +0200
Message-id: <20090408105800.GA4529@moto.homeunix.net>
In-reply-to: <20090408095950.7eb59d12@benjamin.focusmr.co.at>
References: <20090407222041.GT10934@tamay-dogan.net> <20090408071340.GA18477@lia.ch> <20090408095950.7eb59d12@benjamin.focusmr.co.at>

On Wed, Apr 08, 2009 at 09:59:50AM +0200, Benjamin Hackl wrote:
> On Wed, 8 Apr 2009 09:13:40 +0200
> Stephan Balmer <sb@lia.ch> wrote:
> 
> > > So what I need now, is the setup for the IP Tables to  get  the
> > > traffic forwarded from eth0/eth1 to the servers in eth2 where I have
> > > 
> > > eth0 -> smtp/imap -> 192.168.0.196 <mail.tamay-dogan.net>
> > >         http      -> 192.168.0.200 <www.tamay-dogan.net>
> > > (VServer) http:9999 -> 192.168.0.210 <www.debian.tamay-dogan.net>
> > > (VServer)
> > > 
> > > eth2 -> smtp/imap -> 192.168.0.220 <mail.tdwave.net>
> > >         http      -> 192.168.0.221 <www.tdwave.net>
> > > (VServer) http:9999 -> 192.168.0.230 <www.debian.tamay-dogan.net>
> > > (VServer) pgsql     -> 192.168.0.240 <pgsql.private.tamay-dogan.net>
> > 
> > You want to have a look at the DNAT section in the iptables manual.
> > 
> > And to get you up to speed,
> > 
> > 	iptables -t nat -A PREROUTING \
> >                  --destination <PUBIP> -m tcp --destination-port
> > <PUBPORT> \ --jump DNAT --to-destination <PRIVATEIP>:<PRIVATEPORT>
> >  
> > seems to be what you need.
> 
> That's right.
> Could look somewhat like that for port smtp/25
> on eth2 -> 192.168.0.220:25
> 
>  iptables -t nat -A PREROUTING \
>    -i eth2 -p tcp --dport 25 -j DNAT \
>    --to 192.168.0.220:25
> 
> And don't forget to accept the packet itself ;-)
> 
>  iptables -A INPUT -p tcp -m state --state NEW \
>    --dport 25 -i eth2 -j ACCEPT

INPUT is in fact a local chain, but this fw is actually just forwarding
these packets. Michelle needs a forwarding accept:

 iptables -A FORWARD -p tcp -i $EXT_IF -o $LAN_IF -d 192.168.0.220 \
        --dport 25 [--sport 1024:65535] -j ACCEPT

As traffic for 192.168.0.220:25 is not for this 'localhost' it will
never traverse the INPUT chain.

iptables are complex, a correct image of the chains/hooks helps a great
deal to fathom them. 

This is a nice writeup to get you up to speed.
http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html
The image is to be understood thus: all traffic, regardless if it flows
from extern to intern or from intern to extern traverses the iptables
chains/hooks as shown in the image from top to bottom.
If traffic is forwarded it travels the right hand chain and /never/ the
left side one for 'local traffic' .

Greetings,
 Markus

Reply to:

References:
- Kicked me of self! :-/
  - From: Michelle Konzack <linux4michelle@tamay-dogan.net>
- Re: Kicked me of self! :-/
  - From: Stephan Balmer <sb@lia.ch>
- Re: Kicked me of self! :-/
  - From: Benjamin Hackl <benjamin.hackl@focusmr.com>

Prev by Date: Re: Kicked me of self! :-/
Next by Date: Re: Kicked me of self! :-/
Previous by thread: Re: Kicked me of self! :-/
Next by thread: Re: Kicked me of self! :-/
Index(es):
- Date
- Thread