Firewall Wizards mailing list archives
iptables DNAT issue
From: mike () omnipod com
Date: Fri, 6 Sep 2002 10:33:14 -0400 (EDT)
I am having a recurring issue with DNAT on a linux/iptables based firewall. The setup is reasonably simple, with a few network cards in the fw, one servicing a private network, one for the inet connetcion and 3 bridged together servicing a DMZ. The issue is that when I add a DNAT rule (incoming or outgoing), it doesn't want to go away without a reboot. Here is a working example: I forward port 25 incoming to a mail server on the DMZ. OOPS, I mistyped the destination port, and port 25 gets forwarded to port 23 instead (no I didn't really do that). I alter the iptables script to forward correctly, and re-run it. (the script in question flushes ALL iptables rules before re-creating them all) I see it is still forwarding to the wrong port, so I manually clear all rules, then rerun the script. Telnetting to port 25 on the firewall from the outside /still/ forwards me to port 23 on the DMZ machine (even though there is no rule to account for this now) If I reboot, this will finally go away. I thought at first this may be a problem with an established connection sticking around, and the rule not clearing because of this, but netstat on neither the firewall nor the target DMZ machine shows any connections on the forwarded ports, so this seems unlikely (didn't know if that would have been normal anyway). Relevant info: iptables 1.2.5 kernel 2.4.18 bridge-utils 0.9.5 (I have had no problems at all w/ bridging but I thought it might be relevant) DNAT rule (the proper one): $IPTABLES -A PREROUTING -t nat -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP --dport 25 \ -j DNAT --to $MAIL_SERVER:25 $IPTABLES -A FORWARD -i $EXTERNAL_IF -p tcp -d $MAIL_SERVER --dport 25 -j ACCEPT (outside ports are opened with a different rule, but this is known working) Much thanks in advance. Mike Culbertson _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- iptables DNAT issue mike (Sep 06)
- Re: iptables DNAT issue R. DuFresne (Sep 07)
- Message not available
- Re: iptables DNAT issue Mikael Riska (Sep 09)
- Re: iptables DNAT issue Martin Peikert (Sep 09)