iptables forwarding with one nic
I have a leased line at one of my sites that is set up to forward all packets that come to it's Internet address on to an internal server (they tell me their equipment will either forward all traffic or none, but that's another story). Anyway, I would like to set up a Linux machine on the Internal network that will receive all of these forwarded packets. I would like that machine to then send ONLY specific ports on to the actual server. So far, I have been unable to make this work.
IP Addresses Internet side of router: 1.2.3.4 Internal IP that it forwards everything to: 10.1.1.1 My Linux machine with one nic: 10.1.1.2 My Plan: 1.) Set the router to forward all packets to the Linux machine at 10.1.1.2 instead of the actual server of 10.1.1.1. 2.) Use an iptables command such as follows to forward specific packets forwarded from 1.2.3.4 to the Linux machine on to 10.1.1.1: iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 25 -j DNAT --to 10.1.1.1:25 (assuming protocol is SMTP) 3.) After I get step 2 working with the necessary forwarded protcols, I will need another iptables command to block all other packets forwarded from 1.2.3.4. Problem is I can't get step 2 to work? Could it be because I only have one nic or what? Thanks much in advance. |
Hi,
I am no iptables expert, but it seems that you are trying to do this: " iptables, if the internet traffic you are receiving wants to go to 10.1.1.1 port 25, go ahead and forward it " and what you are actually telling iptables is this: " iptables, if you see SMTP traffic going to 1.2.3.4, nat it to 10.1.1.1 instead " So, maybe you can try setting your router address as the source and your server as the destination and see if it gets any better. just a thought. |
So all traffic goes to 1.2.3.4, which gets forwarded to 10.1.1.2 at which point you want to forward specific traffic onto 10.1.1.1 yeah?
If this is the case it would make more sense to put a second NIC in the linux box and make it a router. If this isn't possible then it is still doable with a single NIC. You'll need to dNAT the connections, reject/drop the things you don't like and ensure that ICMP redirects are disabled. You'll also need to ensure that 10.1.1.2 is the default gateway for 10.1.1.1 or your dNAT don't get reversed so it'll all go rather screwy. If you can't make 10.1.1.2 the DG for 10.1.1.1 then you still need to sNAT your connections too! Confirm if this what you wan to do and I'll produce some example that I think should work. cheers Jamie... |
In response to your question of "at which point do you want to forward specific traffic onto 10.1.1.1", I would like to be able to stop all traffic with the excetpion of specific ports. For example. I would like to allow SMTP traffic (port 25) to pass through the Linux machine (10.1.1.2) and on to my actuall server (10.1.1.1).
The route of SMTP traffic from the Internet will be as follows: 1.2.3.4 (Internet Router) to 10.1.1.2 (Linux firewall) on to 10.1.1.1 (internal server). All other traffic will be stopped at 10.1.1.2 and not passed on to 10.1.1.1. I am hoping for the iptables commands (or other commands necessary) to make this happen. Again, thanks much to all for their comments. |
And you're not in a position to add a second NIC? But you can set the default gateway for the internal server to the linux box yeah?
cheers Jamie... |
I could add a second nic, but I am hoping I won't I have to.
I could also set the default gateway on the internal server (10.1.1.1) to the Linux router (10.1.1.2) but I am hoping I won't have to do that either. I am not really interested in controlling outgoing traffic. Currently the default gateway on the internal server is set to the internal side of the Internet router. That means all traffic passes straight to it and then on to the Internet and that is fine with me. I'm not interested in changing that unless I have to. I just want to set it up such that only certain incoming traffic (SMTP in the example given) is sent to the internal server. |
OK, all traffic will still end up going back through the linux box anyway it'll just end up having another NAT operation applied to the packets. I recon you want something like this
Code:
# turn on forwarding HTH Jamie... |
I assume I don't have to add the second nic with this setup? If not, what does the first command do that turns on forwarding?
I also assume I don't have to change the gateway on 10.1.1.1 with this setup? |
Quote:
Quote:
As you only have a single interface it'll got out the same way it came in. Quote:
How much traffic are you expecting to shift on this box? As your internal addresses are 10. addresses your router is already doing dNAT, which means your packets are going spend quite a bit of time being mangled before they reach their destination, and will get the same treatment on their return route too. If you are running anything that needs pseudo-realtime responses (like games) the you may have problems. The same will be true if you have a large number of simultaneous connections. cheers Jamie... |
im jumping into this thread for you to make mental note of where packets came from.. heh
you cannot preroute from 'wan ip' thats forwarding to the box, it'll be coming from the router ip... |
Still can't get it to work, meaning when I telnet to port 25 on 10.1.1.2 I get no answer from 10.1.1.1 (or anything else). Maybe I should approach this one step at a time.
I have deleted my /etc/sysconfig/iptables file and am starting with a clean slate after a reboot. How can I simply set up my Linux machine (10.1.1.2) to forward all packets that it receives on port 25 of eth0 (it's only nic) on to 10.1.1.1. No other security needed, just yet. Once I get that working, I can then add the security portion piece by piece. Once again, I would like to thank everyone for their input. I am drawn to go find a Windows forum so I can assist someone at something I am (unfortunately) expierenced with. |
simple
service iptables stop service iptables save service iptables start iptables -t nat PREROUTING -p tcp --dport 25 -j DNAT --to 10.1.1.1:25 echo 1 > /proc/sys/net/ipv4/ip_foward or edit /etc/sysctl.conf net.ipv4.ip_forward=1 |
For some reason, it is not simple for me. Still doesn't work. I know there is no problem with the computer's network connection as I am doing this via a telnet session. I also know SMTP is working fine on the Internal server (10.1.1.1)
Here is what I have done. Removed /etc/sysconfig/iptables and then rebooted. Then, I type what you said above as follows: /sbin/service iptables stop /sbin/service iptables save /sbin/e iptables start iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 10.1.1.1:25 echo 1 > /proc/sys/net/ipv4/ip_foward (Note I had to add the -A above to keep from getting an error). Still no go? This doesn't seem like it should be this difficult, but so far it is beyond me? |
what daemon are you using to run the smtp?
Can you tried telneting into the smtp to make sure? |
The SMTP on the internal server (10.1.1.1) happens to be Exchange Server, and I can telnet to port 25 from the Linux machine as well as any other computer with no problems. There is no SMTP running on the Linux machine of 10.1.1.2.
|
All times are GMT -5. The time now is 03:14 AM. |