LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 02-14-2008, 04:50 PM   #1
Nothsa
LQ Newbie
 
Registered: Nov 2002
Posts: 22

Rep: Reputation: 15
iptables dnat working, but server logs local source IP instead of original source IP


I have a mail server on a local network (192.168.233.128), and I am forwarding/redirecting SMTP and POP3 traffic from the Firewall machine to the mail server with the following iptables DNAT rules:

iptables -t nat -A PREROUTING -d $FIREWALL_EXTERNAL_IP -p tcp --dport 25 -j DNAT --to-destination 192.168.233.128:25
iptables -t nat -A PREROUTING -d $FIREWALL_EXTERNAL_IP -p tcp --dport 2525 -j DNAT --to-destination 192.168.233.128:25
iptables -t nat -A PREROUTING -d $FIREWALL_EXTERNAL_IP -p tcp --dport 110 -j DNAT --to-destination 192.168.233.128:110

This forwards correctly (i.e. all traffic on those 3 ports is redirected to the mail server), but the logs of the mail server say that all the connections are coming from 192.168.233.1 (i.e. the Firewall's IP for the local network). Apart from being annoying because I don't know what IP the mail is actually coming from, the server is rejecting some mail from domains with SPF entries, which is a big problem.

Does anyone know how I can set up the forward/redirect so that my mail server will log the original source IP address (i.e. the server sending the mail) instead of the Firewall's IP address?
 
Old 02-14-2008, 05:26 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
It sounds like you've got a rogue POSTROUTING rule (doing SNAT).
 
Old 02-14-2008, 06:13 PM   #3
Nothsa
LQ Newbie
 
Registered: Nov 2002
Posts: 22

Original Poster
Rep: Reputation: 15
You were right!

The mail server is actually a VMWare virtual machine, and I had set it up with a "host-only" network card, which appears to add an SNAT value to make everything appear to be coming from the Firewall's local IP (in this case, 192.168.233.1).

Many thanks =)


Here's what I did, if anyone is facing the same problems:

I switched the card from "host-only" to "NAT" ("bridged" would have worked too, if I had the external IP addresses to spare), and then I edited the /etc/vmware/vmnet8/nat/nat.conf file to forward the ports to the mail server (in my case: 192.168.87.128). I then set up iptables to forwarded the ports to the NAT server (in my case, 192.168.87.1).
 
Old 02-14-2008, 06:34 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Cool, glad you got it working! And thanks for posting what you did!

BTW, I'm moving this to Server, as it's not a security issue.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
i need to know where to get the original source code for linux Super Apollo Linux From Scratch 1 01-25-2006 08:42 PM
original Linux source code starpie Linux - Newbie 3 04-16-2005 11:41 AM
Changed source after iptable DNAT? Ambrosia Linux - Networking 0 08-31-2004 02:22 PM
iptables & dnat how to pass original src ip/domain info sdbaroni Linux - Networking 2 08-26-2003 05:31 PM
Iptables/DNAT not working! I'm going insane! renmo Linux - Networking 5 05-18-2003 08:51 AM


All times are GMT -5. The time now is 01:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration