Re: iptables help to forward ports please
On Wed, 19 Mar 2003, Victor Calzado Mayo wrote:
> > internet <=25= firewall iptablerule =port#x=> internalSMTPhost
> >
> > how can the firewall be told to:
> > take all incoming tcp port 25 traffic and send it to
> > smtp host on port X
> iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination \
> $SMTP_HOST:$port
>
> Remember that if you want to apply filters in a Destination "Nated" port you
> have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if
> you have DROP as default policy in the FORWARD hook DNAT won't work untill
> you ACCEPT in FORWARD conections destinated to these DNATed ports.
It's also worth knowing that this filtering must be based on the
_real_ address of the receiving host and not the public, visible
address. After Victor's example:
iptables -A FORWARD -s $SMTP_HOST -p tcp --dport $port -j ACCEPT
Also, the firewall performing the DNAT must react to ARP requests
for the "virtual" (public, whatever) IP address. Unless this
is also the firewall's primary address, I've cared for this by
assigning it as an ip alias, ie.
ip addr add local $SMTP_HOST/$CIDR_NETMASK broadcast + dev ethXX
The ethXXX must of course be on the proper subnet where the traffic
comes from; the "outer edge" typically.
I'm not sure but I think you also need to SNAT the reply
packets that are assicoated with the connections that the
above rules allow. Maybe connection tracking does this
automatically, though. The rule would be something like this,
but I'd experiment without it first:
iptables -t nat -A POSTROUTING -s $SMTP_HOST -j SNAT \
--to-source $PUBLIC_ADDR
--
pp / pfp@iki.fi / peter.parkkali@profiz.com /
040-532 95 80 / +358-40-532 95 80
Reply to: