IPTables How to make outgoing traffic show from a different IP address

codenjanod · 11-04-2009, 07:47 AM

Hi all,

I have a Linux IPTables firewall on Centos 5.3.
It has one physical interface to the internet and 2 internal interfaces to a DMZ and TRUSTED zone respectively.

There are 10 virtual interfaces linked to the physical public interface.

Emails are being sent from my server in the DMZ out to the internet, but it is being shown as coming from the firewall IP address.
It must show as coming from one of the virtual interfaces.

How would I set that up ??

Thanks

bertl · 11-04-2009, 10:20 AM

Do you have a range of IP addresses assigned from your provider - are the aliases on the public interface actual routable addresses?

If not (if you only have one IP assigned) you won't be able to do this - only that one IP will be found from the Internet, any other isn't routable to you so you can't use anything else for public Internet communication.

Considering all those addresses are valid and routable, you currently apparently have one catch all nat rule set up, maybe something like

Code:

# iptables -t nat -A -s DMZ-range/24 -o public_eth0 -j MASQUERADE

or

Code:

# iptables -t nat -A -s DMZ-range/24 -o public_eth0 -j SNAT --to first-ip-on-public_eth0

If you want something specific for your mail host and your mail host has a non routable IP (172.17.x? 192.168.x? 10.x.y.z?) than you could do

Code:

# iptables -t nat -A -s dmz-ip-of-mail-host -o public_eth0 -j SNAT --to alias-ip-of-your-liking

If it actually has its own routable/public IP, you can just forward, you shouldn't do any NAT.

Apart from all this you'll still have to drill appropriate holes in your iptables filter chains, and especially make sure you don't leave open too much of your nicely firewalled off DMZ.

-Bert

codenjanod · 11-05-2009, 12:23 AM

Hi bertl,

This is what I currently have in my script for this client:

Code:

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_EB1 --dport 25 -j allowed

Code:

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $VIRT_PUBL_IP --dport 25 -j DNAT --to-destination $DMZ_SMTP_EB1

And the only SNAT rule I do have is:

Code:

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

Where:
$INET_IFACE = eth0
$DMZ_IFACE = eth2
$DMZ_SMTP_EB1 = Private IP of my DMZ SMTP server
$VIRT_PUBL_IP = Public IP the client is connecting to and needs to send from
$INET_IP = The public IP of the firewall

And when SMTP traffic leaves the system it is shown that it is coming from the firewall public IP address, instead of the $VIRT_PUBL_IP
This is my first firewall script and I am still learning, so thanks a bunch for your help so far.

Thanks

codenjanod · 11-05-2009, 02:51 AM

Hi,

I managed to sort it out.
This is what I did.

All the incoming NAT's were fine, but we have various clients sending out emails from one of our DMZ servers.
One specific client did not want to go out via the default SMTP public IP address, so I had to create a virtual IP address.

My rules basically looked like this:

Code:

$IPTABLES -t nat -A POSTROUTING -p TCP -o $INET_IFACE -s $DMZ_SMTP_EB1 --dport 25 -d <DST_IP> -j SNAT --to $Vrt_216_IP

The above will allow this client to go out on the specific IP address they want to go out on.

And the blow rules keep the SMTP traffic for the rest of the clients the same.

Code:

$IPTABLES -t nat -A POSTROUTING -p TCP -o $INET_IFACE -s $DMZ_SMTP_EB1 -j SNAT --to $SMTP_EB_EXT_IP

$IPTABLES -t nat -A POSTROUTING -p TCP -o $INET_IFACE -s $DMZ_SMTP_EM1 -j SNAT --to $SMTP_EM_EXT_IP

Thanks for the tips

bertl · 11-05-2009, 01:10 PM

Glad it worked out!