[plug] NAT port forward problem

Matthew Whitely whitely at wn.com.au
Mon Sep 17 15:07:30 WST 2007 

Hi, 

 

I'm a fairly solid linux user for what I need it to do but recently I've
been setting up a new SFF computer for my workplace which is to handle squid
and firewalling/port forwarding. My problems have mainly arisen from the
latter.

 

I've been attempting to forward port 25 from this firewall machine to our
internal Email machine (192.168.email.IP:25) the firewall has two interfaces
one to eventually handle internal and one external traffic however at this
point both are connected to a switch for setup (eventually an ADSL
modem/router will handle the connection and forward all ports directly to
eth0). I've been using the following rules in various combinations with
various limited amounts of success:

 

Iptables -t nat -A PREROUTING -p tcp -dport 25 -j DNAT -to-destination
192.168.email.ip

Iptables -t nat -A OUTPUT -p tcp -m -dport 25 -j DNAT -to-destination
192.168.email.ip

 

With just the Prerouting nothing happens which isn't too much of a suprise,
with the Output I can get to eth0:25 from the firewall machine, but not from
a networked laptop (same address range). Unfortunately the latop doesn't
give me any useful error reporting, however when I connect to the port via a
ssh session on the firewall machine the following message appears on the
monitor attached to the machine itself:

 

"NAT: no longer support implicit source local NAT

  NAT: packet src 192.168.email.ip -> dst 192.168.ext.firewall"

 

The external firewall nic is the one I am attempting to connect to however
the src and dst seem to be the wrong way around.

 

I'm running Fedora Core 6, and I have been using webmin the last few days,
though the problem started before then, I simply started using webmins linux
firewall tools to try and keep any of my errors to a minimum. Full copy of
/etc/sysconfig/iptables incoming.....

 

# Generated by iptables-save v1.3.5 on Mon Sep 17 09:57:20 2007

*filter

:FORWARD ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

-A FORWARD -p tcp -m tcp -d 192.168.42.188 --dport 25 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

COMMIT

# Completed on Mon Sep 17 09:57:20 2007

# Generated by iptables-save v1.3.5 on Mon Sep 17 09:57:20 2007

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -p tcp -m tcp -i eth1 --dport 80 -j REDIRECT --to-ports 3128

-A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT --to-destination
192.168.42.2:25

-A OUTPUT -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.42.2:25

COMMIT

# Completed on Mon Sep 17 09:57:20 2007

# Generated by webmin

 

 

(no mangle, some of the rules have been from sheer desperation so if some of
it looks like a walking talking contradiction it's just my madness creeping
in).

 

Any help greatly appreciated.

 

Matthew.

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20070917/699ccfbf/attachment.html>

More information about the plug mailing list