Packet redirecting using DNAT

lasantha · 06-26-2012, 01:20 PM

Hi,

I am having a problem in iptables DNAT. My office mail server was decided to move to VPS on one of ISPs VM from local premises. The new mail server was installed and DNS was updated according to that. Users that use mail client porgrame to download and send mails(SMTP/POP) (eudora and outlook) can be connected to new mail server now by changing their outgoing and incoming ip address(same address used).

Because of practical difficulty to change each and every mail client's outgoing and incoming address of more than 300 mail clients, I have tried to use iptable rule in old mail server linux machine to redirect packets that destined to old mail server address (which already configured in every mail client) to new mail servre in ISP VM, using DNAT.

My rules are given below but it not working properly. Pls check and correct me in this.

eth0 is connected to internet
eht1 is connected to LAN 192.168.1.200
new mail server address xx.yy.zz.kk

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -F INPUT 
iptables -F FORWARD 
iptables -F OUTPUT 

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -d 192.168.1.200 -j DNAT --to xx.yy.zz.kk:25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 110 -d 192.168.1.200 -j DNAT --to xx.yy.zz.kk:110

service iptables save
service iptables restart

Thank you

fukawi1 · 06-27-2012, 05:57 AM

is ip_forwarding enabled in the kernel?

Code:

$ cat /sys/proc/net/ipv4/ip_forward
1

lasantha · 06-27-2012, 10:51 AM

It is clearly stated there,, in my code.

fukawi1 · 06-28-2012, 02:34 AM

Indeed it is, sorry I missed that..
Personally, the easiest way to fix this would be to modify the mx record/s so your mail server urls point to the correct address of the VPS. That is assuming you are currently using DNS to identify the local mail server, if you're not, IP changes are a good reason to...

Are routes properly configured?

You probably also need an rule to SNAT (static) or MASQUERADE (dynamic) your internet bound traffic back to the routers internet facing IP.

Ill share a couple of tricks I use when diagnosing iptables rules..
Generate some traffic that will match the rule you are trying to diagnose, with netcat, hping, etc.
You can "watch" the byte/packet counters while generating the traffic.

Code:

watch iptables -nvL INPUT

In some cases you can create logging rules that will match the traffic you are diagnosing rules for, can also give some useful information.

Code:

iptables -t nat -A PREROUTING -p tcp --dport 25 -j LOG --log-prefix "DROP: " --log-ip-options --log-tcp-options --log-level warn

Another is to use tcpdump on each host, to see where things are getting tripped up...

Just one other thought, is the firewall on the VPS configured to accept the traffic...

lasantha · 06-28-2012, 04:43 PM

thanks for the help. I have managed to write the rule. Now it is working. What i have done is create masquerade rule and forward rule for incoming traffic to the end of the rule set.

Thanks for the help.