iptables nat PREROUTING chain
On 02/14/2012 02:39 PM, Nataraj wrote:
> On 02/14/2012 01:28 PM, Robert Spangler wrote:
>> On Tuesday 14 February 2012 15:21, the following was written:
>>> Is there a way to add a rule to the nat table (CentOS 5.7) that would
>>> alter the port number of tcp packets destined for the server itself? I
>>> have ip_forwarding enabled, but the packets don't seem to hit the
>>> prerouting chain.
>>> I have the following redirect rule in the prerouting table. I also
>>> tried DNAT, but if the packets don't hit PREROUTING, it won't work either.
>>> iptables -t nat -L -v -n
>>> Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes)
>>> pkts bytes target prot opt in out source
>>> destination 0 0 REDIRECT tcp -- * * 10.10.10.0/24
>>> 0.0.0.0/0 tcp dpt:25 redir ports 12345
>>> aspen 2# cat /proc/sys/net/ipv4/ip_forward
>> Where are you applying this rule? On a firewall or on the SMTP server itself?
>> If the firewall then you need to use DNAT
>> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j DNAT --to-destination
>> <Server IP>:<Port>
>> If you only want this to happen on the inside of the firewall then you are
>> also going to have to include the interface you want this rule to apply to.
>> If it is on the SMTP server itself then you don't need forward to be turned on
>> and you need to use REDIRECT
>> iptables -t nat -A PREROUTING -p tcp --dport <Port> -j REDIRECT --to-ports
>> Also make sure no other rule is filtering the packets before this rule because
>> if the packets are altered then this rule will never be used.
> Thank you. You've confirmed that the redirect that I have should work.
> I think I know what the problem is now. I have the NOTRACK bit set for
> incoming packets on port 25, so maybe those packets don't hit the nat
> PREROUTING table. I did that because spambot attacks were causing
> resource exhaustion problems in the kernel when it was tracking all of
> the connections.
I solved this by adding an accept to the raw PREROUTING table for the IP
addresses that needed to have the ports altered, so they did not have
the NOTRACK bit set.
CentOS mailing list