Il 26/06/2017 11:35, Dan Purgert ha scritto:I think I did show that rule:
That shouldn't be happening -- you may have an errant rule you didn't
show
The problem is that without that rule things do not work at all (connections time out).
For example, I've tried adding only the DNAT rule for TCP port 26, without the SNAT rule above, forwarded to the same mail server.
Then from the client I've tried to open a TCP connection on port 26:
echo hello | netcat 1.2.3.4 26
In the phisycal host system I get:
Jun 27 13:21:09 hostmachine kernel: [2479354.931255] IN=eth0 OUT= MAC=74:d0:2b:99:a1:f5:2c:21:31:28:a6:fb:08:00 SRC="" DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0
In the router virtual machine I get:
Jun 27 13:21:34 router kernel: [2479319.331492] IN=eth0 OUT= MAC=52:54:00:02:90:d2:52:54:00:f0:37:ba:08:00 SRC="" DST=10.7.33.100 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0
In the mail server virtual machine I get
Jun 27 13:21:09 mx kernel: [2479308.578043] IN=ens2 OUT= MAC=52:54:00:8d:4c:2a:52:54:00:02:90:d2:08:00 SRC="" DST=10.7.33.109 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=18186 DF PROTO=TCP SPT=51600 DPT=26 WINDOW=29200 RES=0x00 SYN URGP=0
So the packet actually reaches the mail server as expected. However the client never gets a reply.