Re: firewall rules for NAT
Il 26/06/2017 11:35, Dan Purgert ha scritto:
That shouldn't be happening -- you may have an errant rule you didn't
show
I think I did show that rule:
-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100
The problem is that without that rule things do not work at all
(connections time out).
For example, I've tried adding only the DNAT rule for TCP port 26,
without the SNAT rule above, forwarded to the same mail server.
Then from the client I've tried to open a TCP connection on port 26:
echo hello | netcat 1.2.3.4 26
In the phisycal host system I get:
Jun 27 13:21:09 hostmachine kernel: [2479354.931255] IN=eth0 OUT=
MAC=74:d0:2b:99:a1:f5:2c:21:31:28:a6:fb:08:00 SRC=217.61.166.36
DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18186 DF PROTO=TCP
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0
In the router virtual machine I get:
Jun 27 13:21:34 router kernel: [2479319.331492] IN=eth0 OUT=
MAC=52:54:00:02:90:d2:52:54:00:f0:37:ba:08:00 SRC=217.61.166.36
DST=10.7.33.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=18186 DF PROTO=TCP
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0
In the mail server virtual machine I get
Jun 27 13:21:09 mx kernel: [2479308.578043] IN=ens2 OUT=
MAC=52:54:00:8d:4c:2a:52:54:00:02:90:d2:08:00 SRC=217.61.166.36
DST=10.7.33.109 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18186 DF PROTO=TCP
SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0
So the packet actually reaches the mail server as expected. However the
client never gets a reply.
Reply to: