Problems with port forwarding

MS3FGX · 01-26-2004, 10:52 AM

Hi,

I am having a problem with port forwarding on my Slackware machine.

The Windows 2000 server had to be moved to a new IP, but since this is only temporary, all of the clients couldn't be reconfigured to allow for this change. So I decided to put my Slackware server (usually a file/FTP server) at the IP that the clients would expect the Win2K server to be, and I planed on forwarding any ports to the Win2K server's new IP.

I wrote a very simple script to allow forwarding of DNS, WINS, SMTP (25 and 110), and HTTP to the new IP. But for some reason, only WINS, DNS and port 110 will work. HTTP and port 25 are not forwarded.

Here is my script:

Code:

# Make sure port forwarding is enabled
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Flush all rules
iptables -F
#
# Declare variables
DEST_IP=(10.16.50.11)
INT_NET=(10.16.0.0/24)

#
# Add forwarding rules
#
# Forward external services
# Web
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to $DEST_IP
# Incoming mail
iptables -t nat -A PREROUTING -p udp --dport 25 -i eth0 -j DNAT --to $DEST_IP
# Outgoing mail
iptables -t nat -A PREROUTING -p tcp --dport 110 -i eht0 -j DNAT --to $DEST_IP

# Forward WINS request ONLY for clients on the internal network
iptables -t nat -A PREROUTING -p udp -s $INT_NET --dport 1512 -i eth0 -j DNAT --to $DEST_IP
iptables -t nat -A PREROUTING -p tcp -s $INT_NET --dport 1512 -i eth0 -j DNAT --to $DEST_IP
# Forward DNS request
iptables -t nat -A PREROUTING -p udp --dport 53 -i eth0 -j DNAT --to $DEST_IP
iptables -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to $DEST_IP
# Print message
echo Port Forwarding configured

Keep in mind that while this system has only one interface (eth0) it has both a public and private IP. This is possible because the state network (which provides our internet connection) NATs our two public IPs to two private IPs that were assigned to us. Therefore, any machine that takes the private IP given to us by the state will also respond to the public IP.

Any help would be appreciated, since I have a hundred or so people who don't like to be without email.

MS3FGX · 01-26-2004, 08:55 PM

Anybody?

I have found that port 25 and 110 are being properly routed from the internet into the mail server, but routing inside the net is not working.

MS3FGX · 01-27-2004, 08:38 AM

OK, now it looks like port 25 isn't getting routed properly from the internet. I know that mail isn't getting in from the state, so it is a good bet it is closed.

Why won't this script route anything properly (except for DNS, which doesn't seem to work through telnet, but I can access the DNS server through it)?

I really need help getting port 25 and 80 to the server, the staff is getting more annoying by the day.

Half_Elf · 01-27-2004, 03:03 PM

is the other end has any firewall or such?
I just tried to follow a SMTP connection (using telnet) between my box and my SMTP server and look like the server request a connection trought AUTH port (113) during the process. And since you aren't forwarding 113 as well, your client connection die as this time. I have no idea with 110 is but it is probably the same problem

Sorry dude, you'll need a firewall on your Win2k box (if that thing is possible)
Make sure to use tcpdump next time

MS3FGX · 01-27-2004, 03:22 PM

I actually just fixed the problem about 5 minutes ago.

Apparently the entire machine was screwed up. It was missing modules that it never bothered to mention, couldn't compile software, and the iptables scripts did nothing.

I just used the same method on a different Slackware machine, and it all worked fine.