RE: local DNAT with bind,postfix,and iptables

RE: local DNAT with bind,postfix,and iptables

[Gaby Schilders]

Perhaps I'm out of line here, but there are several ways leading to Rome, as they say here.

1) Postfix trick mentioned by George (and obviously having only one postfix box instead of two with a voodoo like setup to compensate... ;-)
2) Bind views (show the internal world something different than the outside). This seems to generally be the most standard and most advised way of handling this kind of problem. See the Bind administrator guide at isc.org.
3) Local DNAT has been implemented but through p-o-m patches (in CVS/snapshots only afaik), not standard kernel and I've never tried it so I don't know how good it will work. Use the CVS web-interface to look at the patches/comments.
4) There was a four. It slipped my mind while thinking of the other options and I'll mention it as soon as it comes back to me... :-|

If you need more explanation, do ask, but I'm very busy today/tomorrow so I may not respond before Monday.

Gaby Schilders
IBFD network admin

-----Original Message-----
From: Carlo Florendo [mailto:carlo@hq.astra.ph]
Sent: donderdag 16 oktober 2003 20:11
To: George Vieira; netfilter@lists.netfilter.org
Subject: Re: local DNAT with bind,postfix,and iptables


----- Original Message -----
From: "George Vieira"

> You must DNAT to the internal IP address which is what you've already done
> for external to mx.<domain> and you must do the same for the internal
> clients with once extra step, you must change the source like you do if
> the
> client were MASQUERADED to the outside world. My must treat the
> mx.<domain>
> as if it was outside too..
>
> iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \
>     -j DNAT --to 192.168.0.3
>
> # Masquerade the internal client so packets are forced back via the
> firewall
> iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \
>     -j SNAT --to 192.168.0.1

I'm sorry for not making myself very clear.   You were the one actually who
taught me how to do this bermuda triangle routing when I long ago posted a
message "DNAT from an IP address that does not exist, etc..."  :)

This solution works if the smtp connection is initiated from any of the
internal hosts but 192.168.0.1.  In this case however, it is 192.168.0.1
that initiates the connection.

The problem is that the smtp server (postfix) which the internal hosts use
is 192.168.0.1.  It is that smtp server which queries bind (DNS) for the mx
entry (bind and postfix in the same machine).  Since bind returns
210.21.114.34 when postfix queries for the mx entry, postfix tries to
initiate a connection to 210.21.114.34.

However, since 210.21.114.34 is actually 192.168.0.3, the smtp connection
from 192.168.0.1 should be DNATted to 192.168.0.3.  That is, machine
192.168.0.1, the same machine where iptables runs, should DNAT 210.21.114.34
to 192.168.0.3.

In other words, if I do a telnet from 192.168.0.1 to port 25 of
210.21.114.34, there should be a connection.
However, this does not happen.

If I do a telnet to port 25 of 210.21.114.34 from any of the 192.168.0.0/24
machines in the internal network, with the exception of 192.168.0.1, I get a
connection.   Thanks to the solution you posted :)

How is it possible to DNAT to 210.21.114.34 from 192.168.0.1 if iptables
runs in 192.168.0.1 itself?

Thanks so much!

Best Regards,

Carlo
------
Carlo Florendo
Astra Philippines Inc.
www.astra.ph


>>
>> Hello,
>>
>> I have a box which runs bind, postfix, and iptables.  (Box A)
>> This box has 2 interfaces.  One facing the net and the other
>> the internal
>> network
>>
>> There's another box behind the firewall that runs postfix and
>> is part of the
>> internal network.  (Box B).
>>
>> Here's the setup.
>>
>> -------------
>> |    Internet   |
>> --------------
>>         |
>>         |
>>         |             host: my.company.org
>> -------------  Pub. IP: 219.21.114.33
>> |    Box A    |  runs bind, iptables, postfix
>> --------------  Pri. IP: 192.168.0.1
>>         |
>>         |
>> ------------- host: mx.my.company.org
>> |    Box  B   | runs postfix
>> ------------- Pri. IP 192.168.0.3
>>
>> There is an mx entry in bind, in box A, which maps the IP address
>> 219.21.114.34 to mx.my.company.org (Box B).  Although Box B
>> has no interface
>> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
>> so that, when Box A receives a request for 219.21.114.34, it
>> does a DNAT to
>> 192.168.0.3.  With this way, Box B can
>> receive mails which it's supposed to receive.
>>
>> This is how it worked:
>>
>> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
>>     -j DNAT --to 192.168.0.3
>>
>> Now, here's my problem:
>>
>> Since the internal network have their mail clients configured
>> to use Box A
>> as their smtp server, there should be a way
>> for Box A to communicate with Box B using 219.21.114.34.
>>
>> I cannot use Box B's IP 192.168.0.3 since this would break
>> bind.  If I do
>> this, mail from outside would not reach Box B.
>> Since mx requests for mx.my.company.org would return
>> 192.168.0.3 which is
>> invalid within the internet.
>>
>> The only way to do this is for Box A to be able to DNAT to box B using
>> locally generated connections (that is, connections that
>> would be initiated
>> by Box A's smtp server).
>>
>> The howto says that DNAT for locally generated packets is not
>> possible in
>> 2.4 kernels.  Does this still hold true?
>>
>> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if
>> connections originate
>> from 219.21.114.33 (DNAT for locally generated packets)?
>>
>> This solution obviously does does not work:
>>
>> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to 192.168.0.3
>>

Re: local DNAT with bind,postfix,and iptables

[Carlo Florendo]

> ----- Original Message -----
> From: "Gaby Schilders"
>
> Perhaps I'm out of line here,

No. Not at all :)

but there are several ways leading to Rome,
> as
> they say here.
>
> 1) Postfix trick mentioned by George (and obviously having only one
> postfix
> box instead of two with a voodoo like setup to compensate... ;-)
> 2) Bind views (show the internal world something different than the
> outside). This seems to generally be the most standard and most advised
> way
> of handling this kind of problem. See the Bind administrator guide at
> isc.org.
> 3) Local DNAT has been implemented but through p-o-m patches (in
> CVS/snapshots only afaik), not standard kernel and I've never tried it so
> I
> don't know how good it will work. Use the CVS web-interface to look at the
> patches/comments.

Those insights are really useful.  Upon reading what you've mentioned, I
remember split DNS.  The postfix trick by George was also new to me.
However, I don't think I could try the patch soon.


> 4) There was a four. It slipped my mind while thinking of the other
> options
> and I'll mention it as soon as it comes back to me... :-|
>
> If you need more explanation, do ask, but I'm very busy today/tomorrow so
> I
> may not respond before Monday.

Ok.  Just make sure you post them.  It could be something new and something
I haven't heard of before.
Some might also find that useful.

Thanks!

Best Regards,

Carlo
------
Carlo Florendo
Astra Philippines Inc.
www.astra.ph

Re: local DNAT with bind,postfix,and iptables

[Carlo Florendo]

Thanks a lot George.  This postfix solution is new to me.   I'll be trying
it out in a few minutes.  But is there any way to do this with iptables?
(Just curious..)


> ----- Original Message -----
> From: "George Vieira"
>
>
> Oh OK.. sorry, must've skipped a line somewhere there..
>
> OK, this is even simpler solution. Use sendmails "mailertable" or postfixs
> "transport" to redirect the domain to a different IP..
>
> mailertable use:
> mx.my.company.org esmtp:[192.168.0.3]
>
> postfix use:
> mx.my.company.org smtp:[192.168.0.3]
>
> this effects this server only and if mail is sent via sendmail.postfix
> which
> the domain MX is overriding the DNS..
>
> this is a mail server resolution and not iptables if noone noticed.. ;P
>
> Thanks,
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
> Phone   : +61 2 9955 2644
> HelpDesk: +61 2 9955 2698
>
>
>> -----Original Message-----
>> From: Carlo Florendo [mailto:carlo@hq.astra.ph]
>> Sent: Friday, 17 October 2003 4:11 AM
>> To: George Vieira; netfilter@lists.netfilter.org
>> Subject: Re: local DNAT with bind,postfix,and iptables
>>
>>
>> ----- Original Message -----
>> From: "George Vieira"
>>
>> > You must DNAT to the internal IP address which is what
>> you've already done
>> > for external to mx.<domain> and you must do the same for
>> the internal
>> > clients with once extra step, you must change the source
>> like you do if
>> > the
>> > client were MASQUERADED to the outside world. My must treat the
>> > mx.<domain>
>> > as if it was outside too..
>> >
>> > iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \
>> >     -j DNAT --to 192.168.0.3
>> >
>> > # Masquerade the internal client so packets are forced back via the
>> > firewall
>> > iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \
>> >     -j SNAT --to 192.168.0.1
>>
>> I'm sorry for not making myself very clear.   You were the
>> one actually who
>> taught me how to do this bermuda triangle routing when I long
>> ago posted a
>> message "DNAT from an IP address that does not exist, etc..."  :)
>>
>> This solution works if the smtp connection is initiated from
>> any of the
>> internal hosts but 192.168.0.1.  In this case however, it is
>> 192.168.0.1
>> that initiates the connection.
>>
>> The problem is that the smtp server (postfix) which the
>> internal hosts use
>> is 192.168.0.1.  It is that smtp server which queries bind
>> (DNS) for the mx
>> entry (bind and postfix in the same machine).  Since bind returns
>> 210.21.114.34 when postfix queries for the mx entry, postfix tries to
>> initiate a connection to 210.21.114.34.
>>
>> However, since 210.21.114.34 is actually 192.168.0.3, the
>> smtp connection
>> from 192.168.0.1 should be DNATted to 192.168.0.3.  That is, machine
>> 192.168.0.1, the same machine where iptables runs, should
>> DNAT 210.21.114.34
>> to 192.168.0.3.
>>
>> In other words, if I do a telnet from 192.168.0.1 to port 25 of
>> 210.21.114.34, there should be a connection.
>> However, this does not happen.
>>
>> If I do a telnet to port 25 of 210.21.114.34 from any of the
>> 192.168.0.0/24
>> machines in the internal network, with the exception of
>> 192.168.0.1, I get a
>> connection.   Thanks to the solution you posted :)
>>
>> How is it possible to DNAT to 210.21.114.34 from 192.168.0.1
>> if iptables
>> runs in 192.168.0.1 itself?
>>
>> Thanks so much!
>>
>> Best Regards,
>>
>> Carlo
>> ------
>> Carlo Florendo
>> Astra Philippines Inc.
>> www.astra.ph
>>
>>
>> >>
>> >> Hello,
>> >>
>> >> I have a box which runs bind, postfix, and iptables.  (Box A)
>> >> This box has 2 interfaces.  One facing the net and the other
>> >> the internal
>> >> network
>> >>
>> >> There's another box behind the firewall that runs postfix and
>> >> is part of the
>> >> internal network.  (Box B).
>> >>
>> >> Here's the setup.
>> >>
>> >> -------------
>> >> |    Internet   |
>> >> --------------
>> >>         |
>> >>         |
>> >>         |             host: my.company.org
>> >> -------------  Pub. IP: 219.21.114.33
>> >> |    Box A    |  runs bind, iptables, postfix
>> >> --------------  Pri. IP: 192.168.0.1
>> >>         |
>> >>         |
>> >> ------------- host: mx.my.company.org
>> >> |    Box  B   | runs postfix
>> >> ------------- Pri. IP 192.168.0.3
>> >>
>> >> There is an mx entry in bind, in box A, which maps the IP address
>> >> 219.21.114.34 to mx.my.company.org (Box B).  Although Box B
>> >> has no interface
>> >> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
>> >> so that, when Box A receives a request for 219.21.114.34, it
>> >> does a DNAT to
>> >> 192.168.0.3.  With this way, Box B can
>> >> receive mails which it's supposed to receive.
>> >>
>> >> This is how it worked:
>> >>
>> >> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
>> >>     -j DNAT --to 192.168.0.3
>> >>
>> >> Now, here's my problem:
>> >>
>> >> Since the internal network have their mail clients configured
>> >> to use Box A
>> >> as their smtp server, there should be a way
>> >> for Box A to communicate with Box B using 219.21.114.34.
>> >>
>> >> I cannot use Box B's IP 192.168.0.3 since this would break
>> >> bind.  If I do
>> >> this, mail from outside would not reach Box B.
>> >> Since mx requests for mx.my.company.org would return
>> >> 192.168.0.3 which is
>> >> invalid within the internet.
>> >>
>> >> The only way to do this is for Box A to be able to DNAT to
>> box B using
>> >> locally generated connections (that is, connections that
>> >> would be initiated
>> >> by Box A's smtp server).
>> >>
>> >> The howto says that DNAT for locally generated packets is not
>> >> possible in
>> >> 2.4 kernels.  Does this still hold true?
>> >>
>> >> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if
>> >> connections originate
>> >> from 219.21.114.33 (DNAT for locally generated packets)?
>> >>
>> >> This solution obviously does does not work:
>> >>
>> >> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to
>> 192.168.0.3

Re: local DNAT with bind,postfix,and iptables

[Carlo Florendo]

----- Original Message -----
From: "George Vieira"

> You must DNAT to the internal IP address which is what you've already done
> for external to mx.<domain> and you must do the same for the internal
> clients with once extra step, you must change the source like you do if
> the
> client were MASQUERADED to the outside world. My must treat the
> mx.<domain>
> as if it was outside too..
>
> iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \
>     -j DNAT --to 192.168.0.3
>
> # Masquerade the internal client so packets are forced back via the
> firewall
> iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \
>     -j SNAT --to 192.168.0.1

I'm sorry for not making myself very clear.   You were the one actually who
taught me how to do this bermuda triangle routing when I long ago posted a
message "DNAT from an IP address that does not exist, etc..."  :)

This solution works if the smtp connection is initiated from any of the
internal hosts but 192.168.0.1.  In this case however, it is 192.168.0.1
that initiates the connection.

The problem is that the smtp server (postfix) which the internal hosts use
is 192.168.0.1.  It is that smtp server which queries bind (DNS) for the mx
entry (bind and postfix in the same machine).  Since bind returns
210.21.114.34 when postfix queries for the mx entry, postfix tries to
initiate a connection to 210.21.114.34.

However, since 210.21.114.34 is actually 192.168.0.3, the smtp connection
from 192.168.0.1 should be DNATted to 192.168.0.3.  That is, machine
192.168.0.1, the same machine where iptables runs, should DNAT 210.21.114.34
to 192.168.0.3.

In other words, if I do a telnet from 192.168.0.1 to port 25 of
210.21.114.34, there should be a connection.
However, this does not happen.

If I do a telnet to port 25 of 210.21.114.34 from any of the 192.168.0.0/24
machines in the internal network, with the exception of 192.168.0.1, I get a
connection.   Thanks to the solution you posted :)

How is it possible to DNAT to 210.21.114.34 from 192.168.0.1 if iptables
runs in 192.168.0.1 itself?

Thanks so much!

Best Regards,

Carlo
------
Carlo Florendo
Astra Philippines Inc.
www.astra.ph


>>
>> Hello,
>>
>> I have a box which runs bind, postfix, and iptables.  (Box A)
>> This box has 2 interfaces.  One facing the net and the other
>> the internal
>> network
>>
>> There's another box behind the firewall that runs postfix and
>> is part of the
>> internal network.  (Box B).
>>
>> Here's the setup.
>>
>> -------------
>> |    Internet   |
>> --------------
>>         |
>>         |
>>         |             host: my.company.org
>> -------------  Pub. IP: 219.21.114.33
>> |    Box A    |  runs bind, iptables, postfix
>> --------------  Pri. IP: 192.168.0.1
>>         |
>>         |
>> ------------- host: mx.my.company.org
>> |    Box  B   | runs postfix
>> ------------- Pri. IP 192.168.0.3
>>
>> There is an mx entry in bind, in box A, which maps the IP address
>> 219.21.114.34 to mx.my.company.org (Box B).  Although Box B
>> has no interface
>> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
>> so that, when Box A receives a request for 219.21.114.34, it
>> does a DNAT to
>> 192.168.0.3.  With this way, Box B can
>> receive mails which it's supposed to receive.
>>
>> This is how it worked:
>>
>> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
>>     -j DNAT --to 192.168.0.3
>>
>> Now, here's my problem:
>>
>> Since the internal network have their mail clients configured
>> to use Box A
>> as their smtp server, there should be a way
>> for Box A to communicate with Box B using 219.21.114.34.
>>
>> I cannot use Box B's IP 192.168.0.3 since this would break
>> bind.  If I do
>> this, mail from outside would not reach Box B.
>> Since mx requests for mx.my.company.org would return
>> 192.168.0.3 which is
>> invalid within the internet.
>>
>> The only way to do this is for Box A to be able to DNAT to box B using
>> locally generated connections (that is, connections that
>> would be initiated
>> by Box A's smtp server).
>>
>> The howto says that DNAT for locally generated packets is not
>> possible in
>> 2.4 kernels.  Does this still hold true?
>>
>> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if
>> connections originate
>> from 219.21.114.33 (DNAT for locally generated packets)?
>>
>> This solution obviously does does not work:
>>
>> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to 192.168.0.3
>>

local DNAT with bind,postfix,and iptables

[Carlo Florendo]

Hello,

I have a box which runs bind, postfix, and iptables.  (Box A)
This box has 2 interfaces.  One facing the net and the other the internal
network

There's another box behind the firewall that runs postfix and is part of the
internal network.  (Box B).

Here's the setup.

-------------
|    Internet   |
--------------
        |
        |
        |             host: my.company.org
-------------  Pub. IP: 219.21.114.33
|    Box A    |  runs bind, iptables, postfix
--------------  Pri. IP: 192.168.0.1
        |
        |
------------- host: mx.my.company.org
|    Box  B   | runs postfix
------------- Pri. IP 192.168.0.3

There is an mx entry in bind, in box A, which maps the IP address
219.21.114.34 to mx.my.company.org (Box B).  Although Box B has no interface
that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
so that, when Box A receives a request for 219.21.114.34, it does a DNAT to
192.168.0.3.  With this way, Box B can
receive mails which it's supposed to receive.

This is how it worked:

iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
    -j DNAT --to 192.168.0.3

Now, here's my problem:

Since the internal network have their mail clients configured to use Box A
as their smtp server, there should be a way
for Box A to communicate with Box B using 219.21.114.34.

I cannot use Box B's IP 192.168.0.3 since this would break bind.  If I do
this, mail from outside would not reach Box B.
Since mx requests for mx.my.company.org would return 192.168.0.3 which is
invalid within the internet.

The only way to do this is for Box A to be able to DNAT to box B using
locally generated connections (that is, connections that would be initiated
by Box A's smtp server).

The howto says that DNAT for locally generated packets is not possible in
2.4 kernels.  Does this still hold true?

Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if connections originate
from 219.21.114.33 (DNAT for locally generated packets)?

This solution obviously does does not work:

iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to 192.168.0.3

Any workarounds?  Thanks!

Thanks!

Best Regards,

Carlo
------
Carlo Florendo
Astra Philippines Inc.
www.astra.ph

RE: local DNAT with bind,postfix,and iptables

[Gaby Schilders]

Actually, I was referring to the 1-server setup needing 'voodoo' to get it working in a similar fashion to the current 2-server setup. ;)

I don't judge. Everyone can decide for themselves what's the best solution for their case! :D

(From a security point of view, I've always taken the stance that as little as possible should be running on the firewall. Especially nothing like Bind or a mail-server. It's only my opinion, though.)

Gaby Schilders
IBFD network admin

-----Original Message-----
From: George Vieira [mailto:georgev@citadelcomputer.com.au]
Sent: donderdag 16 oktober 2003 8:17
To: Gaby Schilders; Carlo Florendo
Cc: netfilter list
Subject: RE: local DNAT with bind,postfix,and iptables


> 1) Postfix trick mentioned by George (and obviously having 
> only one postfix box instead of two with a voodoo like setup 
> to compensate... ;-)
> 

hey, that ain't voodoo man.. ;P I use this method to stop people going straight to my internal Microstop Exchange box and forced to go through my postfix box which as a transport file to relay internal but the machine itself.. This enables me to control the mail as well as setup RBL and free antivirus setup using linux...

Otherwise just put a smart host entry on your sendmail/postfix/firewall box to use the internal server for relaying out.. but I prefer my transport idea... that's what it was made for... ;P he he

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

> -----Original Message-----
> From: Gaby Schilders [mailto:G.Schilders@ibfd.org]
> Sent: Thursday, 16 October 2003 4:08 PM
> To: Carlo Florendo
> Cc: netfilter list
> Subject: RE: local DNAT with bind,postfix,and iptables
> 
> 
> Perhaps I'm out of line here, but there are several ways 
> leading to Rome, as they say here.
> 

RE: local DNAT with bind,postfix,and iptables

[George Vieira]

> 1) Postfix trick mentioned by George (and obviously having 
> only one postfix box instead of two with a voodoo like setup 
> to compensate... ;-)
> 

hey, that ain't voodoo man.. ;P I use this method to stop people going straight to my internal Microstop Exchange box and forced to go through my postfix box which as a transport file to relay internal but the machine itself.. This enables me to control the mail as well as setup RBL and free antivirus setup using linux...

Otherwise just put a smart host entry on your sendmail/postfix/firewall box to use the internal server for relaying out.. but I prefer my transport idea... that's what it was made for... ;P he he

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

> -----Original Message-----
> From: Gaby Schilders [mailto:G.Schilders@ibfd.org]
> Sent: Thursday, 16 October 2003 4:08 PM
> To: Carlo Florendo
> Cc: netfilter list
> Subject: RE: local DNAT with bind,postfix,and iptables
> 
> 
> Perhaps I'm out of line here, but there are several ways 
> leading to Rome, as they say here.
> 

RE: local DNAT with bind,postfix,and iptables

[George Vieira]

Oh OK.. sorry, must've skipped a line somewhere there..

OK, this is even simpler solution. Use sendmails "mailertable" or postfixs "transport" to redirect the domain to a different IP..

mailertable use:
mx.my.company.org			esmtp:[192.168.0.3]

postfix use:
mx.my.company.org			smtp:[192.168.0.3]

this effects this server only and if mail is sent via sendmail.postfix which the domain MX is overriding the DNS..

this is a mail server resolution and not iptables if noone noticed.. ;P

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

> -----Original Message-----
> From: Carlo Florendo [mailto:carlo@hq.astra.ph]
> Sent: Friday, 17 October 2003 4:11 AM
> To: George Vieira; netfilter@lists.netfilter.org
> Subject: Re: local DNAT with bind,postfix,and iptables
> 
> 
> ----- Original Message -----
> From: "George Vieira"
> 
> > You must DNAT to the internal IP address which is what 
> you've already done
> > for external to mx.<domain> and you must do the same for 
> the internal
> > clients with once extra step, you must change the source 
> like you do if
> > the
> > client were MASQUERADED to the outside world. My must treat the
> > mx.<domain>
> > as if it was outside too..
> >
> > iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \
> >     -j DNAT --to 192.168.0.3
> >
> > # Masquerade the internal client so packets are forced back via the
> > firewall
> > iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \
> >     -j SNAT --to 192.168.0.1
> 
> I'm sorry for not making myself very clear.   You were the 
> one actually who
> taught me how to do this bermuda triangle routing when I long 
> ago posted a
> message "DNAT from an IP address that does not exist, etc..."  :)
> 
> This solution works if the smtp connection is initiated from 
> any of the
> internal hosts but 192.168.0.1.  In this case however, it is 
> 192.168.0.1
> that initiates the connection.
> 
> The problem is that the smtp server (postfix) which the 
> internal hosts use
> is 192.168.0.1.  It is that smtp server which queries bind 
> (DNS) for the mx
> entry (bind and postfix in the same machine).  Since bind returns
> 210.21.114.34 when postfix queries for the mx entry, postfix tries to
> initiate a connection to 210.21.114.34.
> 
> However, since 210.21.114.34 is actually 192.168.0.3, the 
> smtp connection
> from 192.168.0.1 should be DNATted to 192.168.0.3.  That is, machine
> 192.168.0.1, the same machine where iptables runs, should 
> DNAT 210.21.114.34
> to 192.168.0.3.
> 
> In other words, if I do a telnet from 192.168.0.1 to port 25 of
> 210.21.114.34, there should be a connection.
> However, this does not happen.
> 
> If I do a telnet to port 25 of 210.21.114.34 from any of the 
> 192.168.0.0/24
> machines in the internal network, with the exception of 
> 192.168.0.1, I get a
> connection.   Thanks to the solution you posted :)
> 
> How is it possible to DNAT to 210.21.114.34 from 192.168.0.1 
> if iptables
> runs in 192.168.0.1 itself?
> 
> Thanks so much!
> 
> Best Regards,
> 
> Carlo
> ------
> Carlo Florendo
> Astra Philippines Inc.
> www.astra.ph
> 
> 
> >>
> >> Hello,
> >>
> >> I have a box which runs bind, postfix, and iptables.  (Box A)
> >> This box has 2 interfaces.  One facing the net and the other
> >> the internal
> >> network
> >>
> >> There's another box behind the firewall that runs postfix and
> >> is part of the
> >> internal network.  (Box B).
> >>
> >> Here's the setup.
> >>
> >> -------------
> >> |    Internet   |
> >> --------------
> >>         |
> >>         |
> >>         |             host: my.company.org
> >> -------------  Pub. IP: 219.21.114.33
> >> |    Box A    |  runs bind, iptables, postfix
> >> --------------  Pri. IP: 192.168.0.1
> >>         |
> >>         |
> >> ------------- host: mx.my.company.org
> >> |    Box  B   | runs postfix
> >> ------------- Pri. IP 192.168.0.3
> >>
> >> There is an mx entry in bind, in box A, which maps the IP address
> >> 219.21.114.34 to mx.my.company.org (Box B).  Although Box B
> >> has no interface
> >> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
> >> so that, when Box A receives a request for 219.21.114.34, it
> >> does a DNAT to
> >> 192.168.0.3.  With this way, Box B can
> >> receive mails which it's supposed to receive.
> >>
> >> This is how it worked:
> >>
> >> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
> >>     -j DNAT --to 192.168.0.3
> >>
> >> Now, here's my problem:
> >>
> >> Since the internal network have their mail clients configured
> >> to use Box A
> >> as their smtp server, there should be a way
> >> for Box A to communicate with Box B using 219.21.114.34.
> >>
> >> I cannot use Box B's IP 192.168.0.3 since this would break
> >> bind.  If I do
> >> this, mail from outside would not reach Box B.
> >> Since mx requests for mx.my.company.org would return
> >> 192.168.0.3 which is
> >> invalid within the internet.
> >>
> >> The only way to do this is for Box A to be able to DNAT to 
> box B using
> >> locally generated connections (that is, connections that
> >> would be initiated
> >> by Box A's smtp server).
> >>
> >> The howto says that DNAT for locally generated packets is not
> >> possible in
> >> 2.4 kernels.  Does this still hold true?
> >>
> >> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if
> >> connections originate
> >> from 219.21.114.33 (DNAT for locally generated packets)?
> >>
> >> This solution obviously does does not work:
> >>
> >> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to 
> 192.168.0.3
> >>
> 
> 
> 

RE: local DNAT with bind,postfix,and iptables

[George Vieira]

This is a commonly asked question and the answer is real simple if you think about it..

You must DNAT to the internal IP address which is what you've already done for external to mx.<domain> and you must do the same for the internal clients with once extra step, you must change the source like you do if the client were MASQUERADED to the outside world. My must treat the mx.<domain> as if it was outside too..


iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \
    -j DNAT --to 192.168.0.3

# Masquerade the internal client so packets are forced back via the firewall
iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \
    -j SNAT --to 192.168.0.1  

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

> -----Original Message-----
> From: Carlo Florendo [mailto:carlo@hq.astra.ph]
> Sent: Friday, 17 October 2003 2:56 AM
> To: netfilter@lists.netfilter.org
> Subject: local DNAT with bind,postfix,and iptables
> 
> 
> Hello,
> 
> I have a box which runs bind, postfix, and iptables.  (Box A)
> This box has 2 interfaces.  One facing the net and the other 
> the internal
> network
> 
> There's another box behind the firewall that runs postfix and 
> is part of the
> internal network.  (Box B).
> 
> Here's the setup.
> 
> -------------
> |    Internet   |
> --------------
>         |
>         |
>         |             host: my.company.org
> -------------  Pub. IP: 219.21.114.33
> |    Box A    |  runs bind, iptables, postfix
> --------------  Pri. IP: 192.168.0.1
>         |
>         |
> ------------- host: mx.my.company.org
> |    Box  B   | runs postfix
> ------------- Pri. IP 192.168.0.3
> 
> There is an mx entry in bind, in box A, which maps the IP address
> 219.21.114.34 to mx.my.company.org (Box B).  Although Box B 
> has no interface
> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
> so that, when Box A receives a request for 219.21.114.34, it 
> does a DNAT to
> 192.168.0.3.  With this way, Box B can
> receive mails which it's supposed to receive.
> 
> This is how it worked:
> 
> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
>     -j DNAT --to 192.168.0.3
> 
> Now, here's my problem:
> 
> Since the internal network have their mail clients configured 
> to use Box A
> as their smtp server, there should be a way
> for Box A to communicate with Box B using 219.21.114.34.
> 
> I cannot use Box B's IP 192.168.0.3 since this would break 
> bind.  If I do
> this, mail from outside would not reach Box B.
> Since mx requests for mx.my.company.org would return 
> 192.168.0.3 which is
> invalid within the internet.
> 
> The only way to do this is for Box A to be able to DNAT to box B using
> locally generated connections (that is, connections that 
> would be initiated
> by Box A's smtp server).
> 
> The howto says that DNAT for locally generated packets is not 
> possible in
> 2.4 kernels.  Does this still hold true?
> 
> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if 
> connections originate
> from 219.21.114.33 (DNAT for locally generated packets)?
> 
> This solution obviously does does not work:
> 
> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to 192.168.0.3
> 
> Any workarounds?  Thanks!
> 
> Thanks!
> 
> Best Regards,
> 
> Carlo
> ------
> Carlo Florendo
> Astra Philippines Inc.
> www.astra.ph
> 
> 
> 
>