iptables question
Thomas Stivers
stivers_t at tomass.dyndns.org
Sat Jul 3 19:24:03 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
on Sat, Jul 03, 2004 at 05:18:06PM -0500, Gregory Nowak wrote:
> Hi all.
>
> I am trying to setup iptables to transparently redirect out-bound
> traffic to any host on port 25 to instead go to IP address
> aaa.bbb.ccc.ddd on port 25. So, after doing some searching with
> google, and some playing around, I have the following line in my
> firewall script:
>
> iptables -t nat -A POSTROUTING -p tcp -o $eth0 --dport 25 -j DNAT
> --to-source aaa.bbb.ccc.ddd
- From a quick look at the iptables man page I see:
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those
chains. It specifies that the destination address of the packet should
be modified (and all future packets in this connection will also be
mangled), and rules should cease being examined.
So it looks like you need to put it in prerouting instead of
postrouting.
> When I run my firewall script to make the new changes take effect, I
> get no errors, but I still don't get the desired effect (I.E. doing
> telnet speech.braille.uwo.ca 25 for example, still gives me Trying
> 129.100.109.30... instead of Trying aaa.bbb.ccc.ddd...
I think if it is done correctly you will get this result, but you should
get the prompt message from aaa.bbb.cccc.ddd
Remember the trying whatever message is coming from telnet not over the
connection and as far as telnet is concerned it is connecting to
129.100.109.30. If I understand corectly this is the essence of
transparency.
> Can someone please show me what I'm doing wrong, because everything
> looks right to me, (although it obviously isn't), and I'm out of
> ideas.
If the above don't work then so am I.
> BTW, I'd prefer to use a full host name in iptables, instead of the IP
> address, however, I get an error when I try that. Am I missing
> something here as well? Thanks for any help in advance.
This host name would be resolved at the time the rules are loaded and
then would not be changed if the DNS records changed. This is likely to
lead to strange behavior eventually.
- --
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
Thomas Stivers e-mail: stivers_t at tomass.dyndns.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA50AT5JK61UXLur0RAjlLAJ9KUPmRHxnvJJrmywm07nH7Hw1RqgCfZXlw
Iqx+Sa/OYG0QQuQKPJCyDGE=
=IrfN
-----END PGP SIGNATURE-----
More information about the Speakup
mailing list