Search This Blog

Wednesday, April 08, 2009

Re: Kicked me of self! :-/

On Wed, Apr 08, 2009 at 09:59:50AM +0200, Benjamin Hackl wrote:
> On Wed, 8 Apr 2009 09:13:40 +0200
> Stephan Balmer <sb@lia.ch> wrote:
>
> > > So what I need now, is the setup for the IP Tables to get the
> > > traffic forwarded from eth0/eth1 to the servers in eth2 where I have
> > >
> > > eth0 -> smtp/imap -> 192.168.0.196 <mail.tamay-dogan.net>
> > > http -> 192.168.0.200 <www.tamay-dogan.net>
> > > (VServer) http:9999 -> 192.168.0.210 <www.debian.tamay-dogan.net>
> > > (VServer)
> > >
> > > eth2 -> smtp/imap -> 192.168.0.220 <mail.tdwave.net>
> > > http -> 192.168.0.221 <www.tdwave.net>
> > > (VServer) http:9999 -> 192.168.0.230 <www.debian.tamay-dogan.net>
> > > (VServer) pgsql -> 192.168.0.240 <pgsql.private.tamay-dogan.net>
> >
> > You want to have a look at the DNAT section in the iptables manual.
> >
> > And to get you up to speed,
> >
> > iptables -t nat -A PREROUTING \
> > --destination <PUBIP> -m tcp --destination-port
> > <PUBPORT> \ --jump DNAT --to-destination <PRIVATEIP>:<PRIVATEPORT>
> >
> > seems to be what you need.
>
> That's right.
> Could look somewhat like that for port smtp/25
> on eth2 -> 192.168.0.220:25
>
> iptables -t nat -A PREROUTING \
> -i eth2 -p tcp --dport 25 -j DNAT \
> --to 192.168.0.220:25
>
> And don't forget to accept the packet itself ;-)
>
> iptables -A INPUT -p tcp -m state --state NEW \
> --dport 25 -i eth2 -j ACCEPT

INPUT is in fact a local chain, but this fw is actually just forwarding
these packets. Michelle needs a forwarding accept:

iptables -A FORWARD -p tcp -i $EXT_IF -o $LAN_IF -d 192.168.0.220 \
--dport 25 [--sport 1024:65535] -j ACCEPT

As traffic for 192.168.0.220:25 is not for this 'localhost' it will
never traverse the INPUT chain.

iptables are complex, a correct image of the chains/hooks helps a great
deal to fathom them.

This is a nice writeup to get you up to speed.
http://www.linuxtopia.org/Linux_Firewall_iptables/c951.html
The image is to be understood thus: all traffic, regardless if it flows
from extern to intern or from intern to extern traverses the iptables
chains/hooks as shown in the image from top to bottom.
If traffic is forwarded it travels the right hand chain and /never/ the
left side one for 'local traffic' .

Greetings,
Markus

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)