Warning: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in ..../includes/class_bbcode.php on line 2958
DNAT help plz !!
Results 1 to 1 of 1

Thread: DNAT help plz !!

  1. #1

    DNAT help plz !!

    Hi,

    The image below shows my current setup where the linux box is an FC7 one



    In the Linux box eth0 is 192.168.0.155/24 and eth1 is 10.4.0.177/16.

    I have created one Iptables script as pasted below using the Easy Firewall Generator for iptables. The issue is that, i am not able to reach port 110 on 10.4.0.100 which is my mail server from my pc (192.168.0.151).

    At the same time DNAT to an IP address of the same series of eth0 works perfectly.For example if i change the DNAT destination from 10.4.0.100 to 192.168.0.159(again a test mail server) in the script,i am able reach it at port 110 from my PC successfully.

    Can anyone please tell me the reason why i am not able to reach 10.4.0.100 at port number 110 form my pc 192.168.0.151 ?

    I should be able to reach the mail server(10.4.0.100) by contacting eth0 of the gateway like " telnet 192.168.0.155 110 "

    Your help is badly needed....!!!

    # Generated by iptables-save v1.3.7 on Thu Aug 23 09:43:47 2007
    *mangle
    :PREROUTING ACCEPT [515:54335]
    :INPUT ACCEPT [3681:310183]
    :FORWARD ACCEPT [66:4090]
    :OUTPUT ACCEPT [315:91576]
    :POSTROUTING ACCEPT [2839:673458]
    COMMIT
    # Completed on Thu Aug 23 09:43:47 2007
    # Generated by iptables-save v1.3.7 on Thu Aug 23 09:43:47 2007
    *nat
    :PREROUTING ACCEPT [107:25629]
    :POSTROUTING ACCEPT [8:480]
    :OUTPUT ACCEPT [9:556]
    -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.4.0.100
    -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.155
    COMMIT
    # Completed on Thu Aug 23 09:43:47 2007
    # Generated by iptables-save v1.3.7 on Thu Aug 23 09:43:47 2007
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [4:904]
    :bad_packets - [0:0]
    :bad_tcp_packets - [0:0]
    :icmp_packets - [0:0]
    :tcp_inbound - [0:0]
    :tcp_outbound - [0:0]
    :udp_inbound - [0:0]
    :udp_outbound - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -j bad_packets
    -A INPUT -d 224.0.0.1 -j DROP
    -A INPUT -s 10.4.0.0/255.255.0.0 -i eth1 -j ACCEPT
    -A INPUT -d 10.4.255.255 -i eth1 -j ACCEPT
    -A INPUT -i eth1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
    -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -p tcp -j tcp_inbound
    -A INPUT -i eth0 -p udp -j udp_inbound
    -A INPUT -i eth0 -p icmp -j icmp_packets
    -A INPUT -m pkttype --pkt-type broadcast -j DROP
    -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
    -A FORWARD -j bad_packets
    -A FORWARD -i eth1 -p tcp -j tcp_outbound
    -A FORWARD -i eth1 -p udp -j udp_outbound
    -A FORWARD -i eth1 -j ACCEPT
    -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -d 10.4.0.100 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
    -A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
    -A OUTPUT -p icmp -m state --state INVALID -j DROP
    -A OUTPUT -s 127.0.0.1 -j ACCEPT
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -s 10.4.0.177 -j ACCEPT
    -A OUTPUT -o eth1 -j ACCEPT
    -A OUTPUT -o eth0 -j ACCEPT
    -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
    -A bad_packets -s 10.4.0.0/255.255.0.0 -i eth0 -j LOG --log-prefix "Illegal source: "
    -A bad_packets -s 10.4.0.0/255.255.0.0 -i eth0 -j DROP
    -A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
    -A bad_packets -m state --state INVALID -j DROP
    -A bad_packets -p tcp -j bad_tcp_packets
    -A bad_packets -j RETURN
    -A bad_tcp_packets -i eth1 -p tcp -j RETURN
    -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: "
    -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
    -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
    -A bad_tcp_packets -p tcp -j RETURN
    -A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
    -A icmp_packets -p icmp -f -j DROP
    -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
    -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A icmp_packets -p icmp -j RETURN
    -A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
    -A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
    -A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
    -A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT
    -A tcp_inbound -p tcp -m tcp --dport 469 -j ACCEPT
    -A tcp_inbound -p tcp -j RETURN
    -A tcp_outbound -p tcp -j ACCEPT
    -A udp_inbound -p udp -m udp --dport 137 -j DROP
    -A udp_inbound -p udp -m udp --dport 138 -j DROP
    -A udp_inbound -p udp -j RETURN
    -A udp_outbound -p udp -j ACCEPT
    COMMIT
    # Completed on Thu Aug 23 09:43:47 2007


    Thanks..
    Last edited by thomaspsimon; 08-23-2007 at 11:37 AM.

Similar Threads

  1. question about dnat and squid
    By clearscreen in forum Redhat / Fedora
    Replies: 0
    Last Post: 02-09-2009, 10:32 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •