iptables question
Igor Gueths
igueths at lava-net.com
Sat Jul 3 19:59:16 EDT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Have you considered using the redirect target and the filter table?
On Sat, Jul 03, 2004 at 06:24:03PM -0500, Thomas Stivers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> on Sat, Jul 03, 2004 at 05:18:06PM -0500, Gregory Nowak wrote:
> > Hi all.
> >
> > I am trying to setup iptables to transparently redirect out-bound
> > traffic to any host on port 25 to instead go to IP address
> > aaa.bbb.ccc.ddd on port 25. So, after doing some searching with
> > google, and some playing around, I have the following line in my
> > firewall script:
> >
> > iptables -t nat -A POSTROUTING -p tcp -o $eth0 --dport 25 -j DNAT
> > --to-source aaa.bbb.ccc.ddd
>
> - From a quick look at the iptables man page I see:
>
> This target is only valid in the nat table, in the PREROUTING and OUTPUT
> chains, and user-defined chains which are only called from those
> chains. It specifies that the destination address of the packet should
> be modified (and all future packets in this connection will also be
> mangled), and rules should cease being examined.
>
> So it looks like you need to put it in prerouting instead of
> postrouting.
>
> > When I run my firewall script to make the new changes take effect, I
> > get no errors, but I still don't get the desired effect (I.E. doing
> > telnet speech.braille.uwo.ca 25 for example, still gives me Trying
> > 129.100.109.30... instead of Trying aaa.bbb.ccc.ddd...
>
> I think if it is done correctly you will get this result, but you should
> get the prompt message from aaa.bbb.cccc.ddd
>
> Remember the trying whatever message is coming from telnet not over the
> connection and as far as telnet is concerned it is connecting to
> 129.100.109.30. If I understand corectly this is the essence of
> transparency.
>
> > Can someone please show me what I'm doing wrong, because everything
> > looks right to me, (although it obviously isn't), and I'm out of
> > ideas.
>
> If the above don't work then so am I.
>
> > BTW, I'd prefer to use a full host name in iptables, instead of the IP
> > address, however, I get an error when I try that. Am I missing
> > something here as well? Thanks for any help in advance.
>
> This host name would be resolved at the time the rules are loaded and
> then would not be changed if the DNS records changed. This is likely to
> lead to strange behavior eventually.
>
> - --
> "Debugging is twice as hard as writing the code in the first place.
> Therefore, if you write the code as cleverly as possible, you are,
> by definition, not smart enough to debug it." - Brian W. Kernighan
>
> Thomas Stivers e-mail: stivers_t at tomass.dyndns.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFA50AT5JK61UXLur0RAjlLAJ9KUPmRHxnvJJrmywm07nH7Hw1RqgCfZXlw
> Iqx+Sa/OYG0QQuQKPJCyDGE=
> =IrfN
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
- --
Failure is not an option, it comes bundled with your Microsoft product.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA50hUNohoaf1zXJMRAhsjAJ48IOiBKDmF+MJ/F4yvXeYsXFcjIgCgkiGT
N6S8T/kiB5KzkjNZ5vntoQ4=
=LDzC
-----END PGP SIGNATURE-----
More information about the Speakup
mailing list