On 9/25/07, Aleksander Kamenik <[EMAIL PROTECTED]> wrote: > > Indunil Jayasooriya wrote: > > FIRST firewall (its internet ip address - 1.2.3.4/29 > > <http://1.2.3.4/29>) I have addes below rule. > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4> > > --dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25> > > > > That should forward port 25 to SECOND firewall. in SECOND firewall, I > > have added 2 below rules. > > > > iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5> > > --dport 25 -j DNAT --to-destination 192.168.100.3:25 > > <http://192.168.100.3:25> > > > > iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3> > > --dport 25 -m state --state NEW -j ACCEPT > > First run tcpdump* or the like on the smtp box to see that incoming > packets arrive. If they don't, see if they arrive on 2.3.4.5 etc. > > If they arrive at the destination see how much they go back (tcpdump on > the firewall boxes). > > Btw, assuming both of your firewall boxes have similar iptables > rulesets, shouldn't the first one also have a -t filter -A FORWARD ... > -j ACCEPT rule?
No filter rule has been speciied. Make sure you also have the ESTABLISHED,RELATED -j > ACCEPT rules. I have not added it to prerouting chain. I added just now. > Forward, input and output chains have it. And have you made sure that the smtp box accepts connections from > anywhere? it is behing my second firewall. it is @ DMZ ZONE. > YES, It accpets connections from any where. Let's say, If I telnet to port 25 as bellow, telnet 2.3.4.5 25 it accepts, It works. Now what I need is that I want to telnet to first firewall, then, it will forward to second firewall, second firewall will forward to actual mail server. Is your MTA listening on the external interface? eth0 is the internet ip of firewall. eth1 is connected to mail server. > > * - tcpdump -i eth0 port 25 > > Regards, > > -- > Aleksander Kamenik > system administrator > +372 6659 649 > [EMAIL PROTECTED] > > Krediidiinfo AS > http://www.krediidiinfo.ee/ > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -- Thank you Indunil Jayasooriya
_______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
