LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-15-2014, 01:38 PM   #1
raeif
LQ Newbie
 
Registered: Jul 2014
Posts: 11

Rep: Reputation: Disabled
ubuntu router/port forwarding


Hi, I'm very new to linux but have been trying some advanced configurations. Sorry if this is a long post but I've tried a lot of things already and I want to give proper context.

I've set up a ubuntu 12.04 server as a router with port forwarding (issue is with smtp). I've poured over all the information I could Google on it and I'm 90% there, just have a few weird issues. My guess is I don't have UFW configured correctly either on the router or on the mail server.

I'm running an ubuntu 12.04.4 LTS VM on Hyper-V (I know, Virtualbox or VMware are far better but it is what it is). eth0 is configured with a public IP, eth1 is a private LAN address 10.0.0.1 in my DMZ. I also have another ubuntu server as an internal firewall separating my DMZ from my internal network, it has an interface configured with DMZ IP 10.0.0.254. My destination http/https servers are currently on my internal network, i haven't moved them to the DMZ yet so port forwarding passes through the internal fw. The smtp server is on the DMZ subnet with IP 10.0.0.50 (another ubuntu server with scrollout f1 mail gw which uses postfix).

I've got NAT working fine and set up port forwarding for 80, 443, 25 and a custom port 1616. The weirdness is that 80, 443 and 1616 forward just fine but 25 isn't forwarding. I verified with my ISP they are not blocking it and it was working prior to Jul 3 on a previous server (hard drive filled up and server crashed, I tried to expand drive but hosed it instead, so I had to rebuild).

All of the port forwarding rules are configured exactly the same in before.rules so I doubt thats the issue since all work except the one smtp rule. I have UFW on the router configured with the following rules:

Code:
To                         Action      From
--                         ------      ----
10.0.0.50 25              ALLOW       <public ip>
10.0.0.254 80             ALLOW       <public ip>
10.0.0.254 443            ALLOW       <public ip>
10.0.0.254 1616           ALLOW       <public ip>
10.0.0.0/24               DENY        <public ip>
I have UFW configured on the smtp server with the following rules:

Code:
To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
25                         ALLOW       Anywhere
80                         ALLOW       Anywhere
443                        ALLOW       Anywhere
I also enabled ufw logging on both servers but it doesn't show any activity (block or allow).

Last thing is when I try to telnet to the public IP from the public internet, it times out like nothing is listening on 25. I can telnet from the 10.0.0.1 and 10.0.0.254 routers to the mail gw with no problem. I can telnet from my internal Exchange server to the mail gw with no problem. This points me to the router passing traffic from the public IP to the DMZ IP and forwarding it to the mail gw.

I'm happy to post additional configs as needed. Any help or suggestions of where the look next is greatly appreciated!

Note: The IPs have been changed to protect the innocent.
 
Old 07-16-2014, 03:44 AM   #2
hoes
Member
 
Registered: Sep 2005
Distribution: debian, linux from scratch
Posts: 190

Rep: Reputation: 51
Just to check...
You have one host 10.0.0.254 for which it works and one host 10.0.0.50 for which it fails.
Could it be a problem with your host machine 10.0.0.50 instead of with the forwarding?
 
Old 07-16-2014, 03:52 AM   #3
raeif
LQ Newbie
 
Registered: Jul 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
I can telnet on 25 to the smtp server (10.0.0.50) from any DMZ or LAN IP, 10.0.0.1 (DMZ perimeter FW), 10.0.0.254 (Internal FW) and anything behind the internal FW, 10.10.0.0/24. But after messing with it all day today, now when I telnet from a public IP, it will establish a connection, I get no response from the smtp server, then the connection drops.

Also it is entirely possible its the 10.0.0.50 host. It was a fresh install though. I did make a lot of changes to ufw and consequently iptables. Does it cache any of the old settings or something like that?

Last edited by raeif; 07-16-2014 at 04:02 AM.
 
Old 07-16-2014, 04:12 AM   #4
hoes
Member
 
Registered: Sep 2005
Distribution: debian, linux from scratch
Posts: 190

Rep: Reputation: 51
The changes you apply to iptables should be immediate.

But I have a different question.
I see that you allow all data to pass,
But do you also force all data arriving at the external FW to port 25 of 10.0.0.50?
That is something I do not see in your configuration.
 
Old 07-16-2014, 04:18 AM   #5
raeif
LQ Newbie
 
Registered: Jul 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
The only place I force sending 25 traffic is in before.rules:

Code:
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
-A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.0.0.50:25
<more forwarding rules>
COMMIT
I also have since changed my UFW rules based on more articles I've been reading:

Code:
Status: active
Logging: off
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                         Action      From
--                         ------      ----
80                         ALLOW IN    Anywhere
443                        ALLOW IN    Anywhere
25/tcp                     ALLOW IN    Anywhere
22                         ALLOW IN    Anywhere
 
Old 07-16-2014, 04:52 AM   #6
hoes
Member
 
Registered: Sep 2005
Distribution: debian, linux from scratch
Posts: 190

Rep: Reputation: 51
Your rule for prerouting seems to work based on comparisons with a google search.
Could you check if it also works if you add a similar rule for port 80, 443 or 1616?
This way you can check whether it is in the NAT and forwarding or in the host.
 
Old 07-16-2014, 10:58 AM   #7
raeif
LQ Newbie
 
Registered: Jul 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
In hindsight, I probably should have posted the whole nat section for comparison. Yes, the rules are the same, I added the smtp rule later and used those as a template:

Code:
# NAT Table
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE

# public ip forwarding rules
-A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to-destination 10.0.0.50:25
-A PREROUTING -p tcp -i eth0 --dport 1616 -j DNAT --to-destination 10.10.0.200:1616
-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.10.0.10:80
-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 10.10.0.10:443
COMMIT
I ran some more tests and I think the forwarding is working because I can telnet in from outside now but I get no response, like the connection is established but gets nothing back. Someone else on another board I posted to suggested the smtp server may be sending responses on a different route. Is that possible and how would I check that? I really appreciate the help!
 
Old 07-16-2014, 04:52 PM   #8
sruckh
LQ Newbie
 
Registered: Nov 2003
Posts: 15

Rep: Reputation: 0
Shorewall

This certainly does not answer your specific question, but you might want to check out the opensource project, Shorewall ( http://bit.ly/1nc0zEJ ), as is makes dealing with IP tables much easier. The author is very helpful as is the community around the project. The web site's documentation is also very detailed and contains many examples. It is really worth using if you are going to do any extensive work with IP Tables.
 
Old 07-16-2014, 05:28 PM   #9
raeif
LQ Newbie
 
Registered: Jul 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
Yeah I didn't see Shorewall until well after I had already gotten deep into using UFW to manage iptables and I'd like to get things back up and running before taking on a new application to learn. I appreciate the suggestion though, it is something I planned on looking into later.
 
Old 07-17-2014, 04:36 PM   #10
raeif
LQ Newbie
 
Registered: Jul 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
I've fixed the issue, was a variety of causes. My fw rules were fine and it was forwarding correctly but I didn't have my adapters configured with the correct gateways so there was no route out. Also my ISP was blocking smtp out. All is working now, thanks all for the help.
 
  


Reply

Tags
firewall, port forwarding, router


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
port forwarding without router jkeertir Linux - Newbie 3 09-17-2009 10:56 AM
Port Forwarding from Router to Client expatCM Linux - Networking 0 08-06-2008 05:38 AM
Port Forwarding For Router kool_kid Linux - Networking 4 09-25-2007 02:10 PM
port forwarding on Belkin 4-port Cable/DSL Gateway Router sycamorex Linux - Networking 5 03-05-2007 03:27 PM
router port forwarding/ssh epoo Slackware 7 12-30-2003 03:02 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration