[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall rules for NAT



Il 26/06/2017 11:35, Dan Purgert ha scritto:
That shouldn't be happening -- you may have an errant rule you didn't
show

I think I did show that rule:

-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100

The problem is that without that rule things do not work at all (connections time out).

For example, I've tried adding only the DNAT rule for TCP port 26, without the SNAT rule above, forwarded to the same mail server.

Then from the client I've tried to open a TCP connection on port 26:

echo hello | netcat 1.2.3.4 26

In the phisycal host system I get:

Jun 27 13:21:09 hostmachine kernel: [2479354.931255] IN=eth0 OUT= MAC=74:d0:2b:99:a1:f5:2c:21:31:28:a6:fb:08:00 SRC=217.61.166.36 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

In the router virtual machine I get:

Jun 27 13:21:34 router kernel: [2479319.331492] IN=eth0 OUT= MAC=52:54:00:02:90:d2:52:54:00:f0:37:ba:08:00 SRC=217.61.166.36 DST=10.7.33.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

In the mail server virtual machine I get

Jun 27 13:21:09 mx kernel: [2479308.578043] IN=ens2 OUT= MAC=52:54:00:8d:4c:2a:52:54:00:02:90:d2:08:00 SRC=217.61.166.36 DST=10.7.33.109 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0

So the packet actually reaches the mail server as expected. However the client never gets a reply.


Reply to: