[LARTC] DNAT PREROUTING issue with IPTABLES

Riccardo (SCASI) r.penco at scasinet.com
Tue Sep 25 10:54:45 CEST 2007 

Indunil Jayasooriya ha scritto:
> 
> Hi,
> 
> I have an DNAT ISSUE with PREROUTING.
> 
> This is my setup.
> 
> I have 2 firewalls running iptables.
> 
> Pls asume 1.2.3.4/29 is the internet interace of 
> FIRST firewall.
> 2.3.4.5/29 is the internet interface of SECOND 
> firewall. it has DMZ zone. in that DMZ zone, mail server runnig @ 
> 192.168.100.3
> 
> Now I want to DNAT port 25 of FISRT firewall ( i.e  -  its ip address - 
> 1.2.3.4/29 ) to the internet ip address ( 2.3.4.5/29 
> ) of SECOND firewall. That firewal DNATs port 25 to 
> mail server @ 192.168.100.3 in DMZ zone.
> 
> These are rules I have added.
> 
> FIRST firewall (its internet ip address - 1.2.3.4/29 
> ) I have addes below rule.
> 
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> 
> --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
> 
> That should forward port 25 to SECOND firewall. in SECOND firewall, I 
> have added 2 below rules.
> 
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5> 
> --dport 25 -j DNAT --to-destination 192.168.100.3:25 
> <http://192.168.100.3:25>
> 
> iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> 
> --dport 25 -m state --state NEW -j ACCEPT
> 
> Now, it should forward port 25  to  mail server  @  DMZ Zone.
> 
> I think I have added these rules properly. But, It does not work.
> 
> I checked from outside world . I telneted to port 25 of first firewaal. 
> Then, It should forward to mail server @ DMZ zone.
> But, no responce.
> 
> WHY is that?
> 
> YOUR IDEAS?
> 

May it be a problem of SNAT?

I try to explain my guess:
FW1: firewall at 1.2.3.4
FW2: firewall at 2.3.4.5
SRV: mail server at 192.168.100.3

I telnet FW1 on port 25 from a PC with ip address 4.5.6.7.
FW1 forwards the connection to FW2.
FW2 forwards the connection to SRV.
SRV now receive packets from 4.5.6.7 and sends packets back to that address.
I think that the connection shall fail if those packets on their way to 
4.5.6.7 get 'snat-ted' to an address different from 1.2.3.4.

Apologies for my poor English !

> -- 
> Thank you
> Indunil Jayasooriya

You're welcome
Riccardo Penco

More information about the LARTC mailing list