FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-14-2012, 07:21 PM
Nataraj
 
Default iptables nat PREROUTING chain

Is there a way to add a rule to the nat table (CentOS 5.7) that would
alter the port number of tcp packets destined for the server itself? I
have ip_forwarding enabled, but the packets don't seem to hit the
prerouting chain.

I have the following redirect rule in the prerouting table. I also
tried DNAT, but if the packets don't hit PREROUTING, it won't work either.

iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 10.10.10.0/24 0.0.0.0/0 tcp dpt:25 redir ports 12345


aspen 2# cat /proc/sys/net/ipv4/ip_forward
1



Thanks,
Nataraj

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-14-2012, 08:28 PM
Robert Spangler
 
Default iptables nat PREROUTING chain

On Tuesday 14 February 2012 15:21, the following was written:

> Is there a way to add a rule to the nat table (CentOS 5.7) that would
> alter the port number of tcp packets destined for the server itself? I
> have ip_forwarding enabled, but the packets don't seem to hit the
> prerouting chain.
>
> I have the following redirect rule in the prerouting table. I also
> tried DNAT, but if the packets don't hit PREROUTING, it won't work either.
>
> iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes)
> pkts bytes target prot opt in out source
> destination 0 0 REDIRECT tcp -- * * 10.10.10.0/24
> 0.0.0.0/0 tcp dpt:25 redir ports 12345
>
>
> aspen 2# cat /proc/sys/net/ipv4/ip_forward
> 1

Where are you applying this rule? On a firewall or on the SMTP server itself?

If the firewall then you need to use DNAT

Example:

iptables -t nat -A PREROUTING -p tcp --dport <Port> -j DNAT --to-destination
<Server IP>:<Port>

If you only want this to happen on the inside of the firewall then you are
also going to have to include the interface you want this rule to apply to.


If it is on the SMTP server itself then you don't need forward to be turned on
and you need to use REDIRECT

Example:

iptables -t nat -A PREROUTING -p tcp --dport <Port> -j REDIRECT --to-ports
<Port>

Also make sure no other rule is filtering the packets before this rule because
if the packets are altered then this rule will never be used.


--

Regards
Robert

Linux
The adventure of a lifetime.

Linux User #296285
Get Counted
http://linuxcounter.net/
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-14-2012, 09:39 PM
Nataraj
 
Default iptables nat PREROUTING chain

On 02/14/2012 01:28 PM, Robert Spangler wrote:
> On Tuesday 14 February 2012 15:21, the following was written:
>
>> Is there a way to add a rule to the nat table (CentOS 5.7) that would
>> alter the port number of tcp packets destined for the server itself? I
>> have ip_forwarding enabled, but the packets don't seem to hit the
>> prerouting chain.
>>
>> I have the following redirect rule in the prerouting table. I also
>> tried DNAT, but if the packets don't hit PREROUTING, it won't work either.
>>
>> iptables -t nat -L -v -n
>> Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes)
>> pkts bytes target prot opt in out source
>> destination 0 0 REDIRECT tcp -- * * 10.10.10.0/24
>> 0.0.0.0/0 tcp dpt:25 redir ports 12345
>>
>>
>> aspen 2# cat /proc/sys/net/ipv4/ip_forward
>> 1
> Where are you applying this rule? On a firewall or on the SMTP server itself?
>
> If the firewall then you need to use DNAT
>
> Example:
>
> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j DNAT --to-destination
> <Server IP>:<Port>
>
> If you only want this to happen on the inside of the firewall then you are
> also going to have to include the interface you want this rule to apply to.
>
>
> If it is on the SMTP server itself then you don't need forward to be turned on
> and you need to use REDIRECT
>
> Example:
>
> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j REDIRECT --to-ports
> <Port>
>
> Also make sure no other rule is filtering the packets before this rule because
> if the packets are altered then this rule will never be used.
>
>
Thank you. You've confirmed that the redirect that I have should work.
I think I know what the problem is now. I have the NOTRACK bit set for
incoming packets on port 25, so maybe those packets don't hit the nat
PREROUTING table. I did that because spambot attacks were causing
resource exhaustion problems in the kernel when it was tracking all of
the connections.

I don't really know how to do what I want to do other than increasing
the resource on the server so it could sustain a spambot attack while
tracking the connection. If you have any ideas it would be appreciated.

What I am trying to do is to change my external SMTP port so that it
does not allow relaying or authentication and move all of the relay
clients to a submission port. The idea is to rewrite the port on
connections coming from the internal network so we don't have to require
all of the internal clients to reconfigure their mail clients.

Nataraj

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-14-2012, 10:22 PM
Nataraj
 
Default iptables nat PREROUTING chain

On 02/14/2012 02:39 PM, Nataraj wrote:
> On 02/14/2012 01:28 PM, Robert Spangler wrote:
>> On Tuesday 14 February 2012 15:21, the following was written:
>>
>>> Is there a way to add a rule to the nat table (CentOS 5.7) that would
>>> alter the port number of tcp packets destined for the server itself? I
>>> have ip_forwarding enabled, but the packets don't seem to hit the
>>> prerouting chain.
>>>
>>> I have the following redirect rule in the prerouting table. I also
>>> tried DNAT, but if the packets don't hit PREROUTING, it won't work either.
>>>
>>> iptables -t nat -L -v -n
>>> Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes)
>>> pkts bytes target prot opt in out source
>>> destination 0 0 REDIRECT tcp -- * * 10.10.10.0/24
>>> 0.0.0.0/0 tcp dpt:25 redir ports 12345
>>>
>>>
>>> aspen 2# cat /proc/sys/net/ipv4/ip_forward
>>> 1
>> Where are you applying this rule? On a firewall or on the SMTP server itself?
>>
>> If the firewall then you need to use DNAT
>>
>> Example:
>>
>> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j DNAT --to-destination
>> <Server IP>:<Port>
>>
>> If you only want this to happen on the inside of the firewall then you are
>> also going to have to include the interface you want this rule to apply to.
>>
>>
>> If it is on the SMTP server itself then you don't need forward to be turned on
>> and you need to use REDIRECT
>>
>> Example:
>>
>> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j REDIRECT --to-ports
>> <Port>
>>
>> Also make sure no other rule is filtering the packets before this rule because
>> if the packets are altered then this rule will never be used.
>>
>>
> Thank you. You've confirmed that the redirect that I have should work.
> I think I know what the problem is now. I have the NOTRACK bit set for
> incoming packets on port 25, so maybe those packets don't hit the nat
> PREROUTING table. I did that because spambot attacks were causing
> resource exhaustion problems in the kernel when it was tracking all of
> the connections.
I solved this by adding an accept to the raw PREROUTING table for the IP
addresses that needed to have the ports altered, so they did not have
the NOTRACK bit set.

Thank You,
Nataraj

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 10:49 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org