Google
  Web www.spinics.net

Re: DNAT PREROUTING issue with IPTABLES

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Indunil Jayasooriya wrote:

   SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
 BOTH firewall's default route (gateway) is the router given by our ISP.

Ok, so you understand your problem now?

Assuming the packet arrives at 1.2.3.4 from random external ip (eg. 5.5.5.5), is successfully dnat+rerouted to 2.3.4.5, there again dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server sends a reply to the original sender 5.5.5.5. It does that via it's default gateway which I assume is 2.3.4.5. 2.3.4.5 sends it via your ISP's gateway with it's own address of 2.3.4.5 to 5.5.5.5.

But 5.5.5.5 sent the packet 1.2.3.4, not 2.3.4.5, so it discards it.

And that's exactly what Riccardo said when I read his mail now.

The first problem though is that I'm not sure the dnat form 1.2.3.4 to 2.3.4.5 works, the packet would have to leave via the same interface it came. Maybe this works, I've never tried that. Make sure packets arrive on the smtp box with tcpdump.

As for the solution, one way would be to SNAT the connection at FW1, but this wwould cause the smtp box to see as if all the incoming connections are from 1.2.3.4 and not their real IP's (5.5.5.5).

Actually you should set up custom routing at 1.2.3.4 and not DNAT. You'd have to mark the packets and then send them to the 2.3.4.5 fw via a custom route. I'm not sure I could help you with that, never done any advanced routing.

--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@xxxxxxxxxxxxxxx

Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux