A port forwarding puzzler

Joseph Erlewein jerlewein@mhc.net
Wed, 19 Dec 2001 13:21:34 -0500 

This is a MIME message. If you are reading this text, you may want to 
consider changing to a mail reader or gateway that understands how to 
properly handle MIME multipart messages.

--=_045915AA.1B7A0C54
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable


My mistake. That is what the rule is.=20
That's what I get for retyping the rules specifically for email instead of =
cut-and-paste.=20
And you are correct in your assumption...
So in all actuality - it should work then?

-jre



Joseph R. Erlewein
Information Center Specialist
Munson Healthcare
jerlewein@mhc.net

>>> Tom Eastep <teastep@shorewall.net> 19.Dec.2001 12.54.16 >>>
On Wednesday 19 December 2001 09:47 am, Joseph Erlewein wrote:

> $IPT -t nat -A PREROUTING -i eth0 -p tcp -d EXTIP --dport 25 -j DNAT =
--to
> MAILSERVIP:25=20
> $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d EXTIP --dport 25 -j
> ACCEPT

By the time the packet reaches the filter FORWARD chain, the destination=20=

address will have been rewritten to MAILSERVERIP (I assume that your =
real=20
script uses IP addresses or $MAILSERVERIP). So your second rule should be:

$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d MAILSERVIP --dport 25 -j ACCEPT

-Tom
--=20
Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \  Firewalls for Linux 2.4

--=_045915AA.1B7A0C54
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" http-equiv=3DContent-Type=
>
<META content=3D"MSHTML 5.00.2919.6307" name=3DGENERATOR></HEAD>
<BODY style=3D"FONT: 8pt MS Sans Serif; MARGIN-LEFT: 2px; MARGIN-TOP: =
2px">
<DIV>&nbsp;</DIV>
<DIV>My mistake. That is what the rule is. </DIV>
<DIV>That's what I get for retyping the rules specifically for email =
instead of=20
cut-and-paste. </DIV>
<DIV>And you are correct in your assumption...</DIV>
<DIV>So in all actuality - it should work then?</DIV>
<DIV>&nbsp;</DIV>
<DIV>-jre</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>Joseph R. Erlewein<BR>Information Center Specialist<BR>Munson=20
Healthcare<BR><A=20
href=3D"mailto:jerlewein@mhc.net">jerlewein@mhc.net</A><BR><BR>&gt;&gt;&gt;=
 Tom=20
Eastep &lt;teastep@shorewall.net&gt; 19.Dec.2001 12.54.16 &gt;&gt;&gt;<BR>O=
n=20
Wednesday 19 December 2001 09:47 am, Joseph Erlewein wrote:<BR><BR>&gt; =
$IPT -t=20
nat -A PREROUTING -i eth0 -p tcp -d EXTIP --dport 25 -j DNAT --to<BR>&gt;=
=20
MAILSERVIP:25 <BR>&gt; $IPT -A FORWARD -i eth0 -o eth1 -p tcp -d EXTIP =
--dport=20
25 -j<BR>&gt; ACCEPT<BR><BR>By the time the packet reaches the filter =
FORWARD=20
chain, the destination <BR>address will have been rewritten to MAILSERVERIP=
 (I=20
assume that your real <BR>script uses IP addresses or $MAILSERVERIP). So =
your=20
second rule should be:<BR><BR>$IPT -A FORWARD -i eth0 -o eth1 -p tcp -d=20
MAILSERVIP --dport 25 -j ACCEPT<BR><BR>-Tom<BR>-- <BR>Tom=20
Eastep&nbsp;&nbsp;&nbsp; \&nbsp; teastep@shorewall.net<BR>AIM: tmeastep&nbs=
p;=20
\&nbsp; <A href=3D"http://www.shorewall.net">http://www.shorewall.net</A><B=
R>ICQ:=20
#60745924&nbsp; \&nbsp; Firewalls for Linux 2.4<BR><BR><BR></DIV></BODY></H=
TML>

--=_045915AA.1B7A0C54--