iptables and hostname

Message

eclipse99 · Post by **eclipse99** » Wed Nov 07, 2007 8:29 am

I have a corporate mail server behind a firewall which is a router.

Server's ip is 10.0.0.1 and the firewall is 10.0.0.10 and a static ip address.
I have an MX record in the domain for this static ip.

From outside the network (i.e. the internet) people connect through the mail host name where inside the network through the ip 10.0.0.1

The problem is that I cant connect to the server within the network with the mail host name.

Iptable is:

Code: Select all

*mangle
:PREROUTING ACCEPT [5191812:3129083933]
:INPUT ACCEPT [244284:33519202]
:FORWARD ACCEPT [4947487:3095562134]
:OUTPUT ACCEPT [197637:27173343]
:POSTROUTING ACCEPT [5145124:3122735477]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

COMMIT
# Completed on Thu Oct  6 22:40:15 2005
# Generated by iptables-save v1.3.1 on Thu Oct  6 22:40:15 2005
*filter
:INPUT DROP [46303:8528866]
:FORWARD ACCEPT [4947487:3095562134]
:OUTPUT ACCEPT [197637:27173343]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT

COMMIT
# Completed on Thu Oct  6 22:40:15 2005
# Generated by iptables-save v1.3.1 on Thu Oct  6 22:40:15 2005
*nat
:PREROUTING ACCEPT [166252:15258689]
:POSTROUTING ACCEPT [1143:61604]
:OUTPUT ACCEPT [303:21952]
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.1:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.1:110
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.1:995
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.0.1:8080
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j SNAT --to-source 10.0.0.1
COMMIT
# Completed on Thu Oct  6 22:40:15 2005

I tried adding a loop inside the network to go to the server:

Code: Select all

-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 25 -j DNAT --to-destination 10.0.0.1:25
-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 110 -j DNAT --to-destination 10.0.0.1:110
-A POSTROUTING -o eth1 -j MASQUERADE

This solved the problem and I could reach the server from inside the network with the host name (i.e. ping mail.hostname.com)
but I then got a new problem: packets which reached postfix identified as 10.0.0.10 and not their source ip, hence relay could be made through my server as postfix identified all the packets as local packets.

Can it be solved?

gerdesj · Post by **gerdesj** » Thu Nov 08, 2007 11:26 pm

Its a bit difficult to see what is going on but I think you are reverse NATing external systems rather than just port forwarding. What I mean is that to your Postfix, it appears that external devices are actually your router.

This is a pretty standard setup and should be fairly easy to sort out. What are you using to create the firewall?

Cheers
Jon

eclipse99 · Post by **eclipse99** » Sun Nov 11, 2007 10:27 am

Thanks for replying.

I'll simplify it: I want to be able to reach the corporate server by host name (i.e. example.com).
The server does not have dns and it has some internal host name.

linuxkrn · Post by **linuxkrn** » Tue Nov 13, 2007 7:47 pm

Add the server's hostname and ip to your /etc/hosts.

Code: Select all

123.123.123.123     server.domain.com server

The ip must be a public routable address. Otherwise, setup a VPN. (ipsec for example)

eclipse99 · Post by **eclipse99** » Wed Nov 14, 2007 7:06 am

That's working from the server but not from the clients.

The client query the DNS server (of the isp) and get the external ip (i.e. 123.123.123.123).
Its ok if the client is outside the network, but its not working if the client is inside the network.

linuxkrn · Post by **linuxkrn** » Wed Nov 14, 2007 7:59 pm

You have to add that host lines to each of the clients. Otherwise, run a local DNS server.

eclipse99 · Post by **eclipse99** » Thu Nov 15, 2007 11:05 am

Adding the host to the hosts in the clients is impossible as they use laptops and some of them take it out of the office, so when they'll be out, they wont be able to reach the mail server.

I thought that modifying the iptables is simpler than running a DNS server, only for that purpose.
I just need to route inside packets to the server, instead of letting them out.

I added this code to the iptables:

Code: Select all

-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 25 -j DNAT --to-destination 10.0.0.1:25
-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 110 -j DNAT --to-destination 10.0.0.1:110
-A POSTROUTING -o eth1 -j MASQUERADE

which works fine and solves the problem, but it triggers another problem:

Each packet from outside the network becomes 10.0.0.10 (firewall's ip) instead of the original ip.

linuxkrn · Post by **linuxkrn** » Thu Nov 15, 2007 2:19 pm

Not sure if this is the "best" way to do it... but you could try adding.

-s 10.0.0.0/24 to your DNAT rules.

Or make sure if you have eth0 (internal) you only do NAT rules on that interface.

eclipse99 · Post by **eclipse99** » Tue Nov 20, 2007 8:00 am

thx for the reply.

I do have ppp0 with NAT:

Code: Select all

-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.1:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.1:110
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 10.0.0.1:995
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 10.0.0.1:8080
-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 25 -j DNAT --to-destination 10.0.0.1:25
-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 110 -j DNAT --to-destination 10.0.0.1:110
-A PREROUTING -i eth1 -p tcp -d [external static ip] --dport 995 -j DNAT --to-destination 10.0.0.1:995
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o ppp0 -j SNAT --to-source 10.0.0.1

Can't I do NAT on both? Should I do MASQUERADE on both?

iptables and hostname

iptables and hostname

Re: iptables and hostname