DNAT Problems

Greeting All:

I have what I think is a simple firewall
configuration.  All our hosts reside on the internal
side of our network and we punch holes to allow access
to servers that provide internet-based content (i.e.
Web servers, e-mail servers, and Database server).

For some reason my firewall was working fine until a
reboot and now none of the DNAT is working.  The most
important thing is that the e-mail server is not
receiving mail, it sends just fine.  Also no one can
access squirrel mail, again works fine internally.

Here is my configuration any help is appreciated. 
Thanks in advance IPTABLES Gurus.

------------------------------------------------------
# Generated by iptables-save v1.3.4 on Sat Apr  8
02:03:03 2006
*raw
:PREROUTING ACCEPT [69187:15784837]
:OUTPUT ACCEPT [46891:5730774]
COMMIT
# Completed on Sat Apr  8 02:03:03 2006
# Generated by iptables-save v1.3.4 on Sat Apr  8
02:03:03 2006
*nat
:PREROUTING ACCEPT [6384:872118]
:POSTROUTING ACCEPT [156:10133]
:OUTPUT ACCEPT [1681:126170]
-A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
--sport 1024:65535 --dport 25 -j DNAT --to-destination
192.168.150.20
-A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
--sport 1024:65535 --dport 110 -j DNAT
--to-destination 192.168.150.20
-A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
--sport 1024:65535 --dport 143 -j DNAT
--to-destination 192.168.150.20
-A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp
--sport 1024:65535 --dport 80 -j DNAT --to-destination
192.168.150.200
-A POSTROUTING -o lo -j ACCEPT
-A POSTROUTING -o eth1 -j MASQUERADE
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Sat Apr  8 02:03:03 2006
# Generated by iptables-save v1.3.4 on Sat Apr  8
02:03:03 2006
*mangle
:PREROUTING ACCEPT [69187:15784837]
:INPUT ACCEPT [48202:5793791]
:FORWARD ACCEPT [18360:9358860]
:OUTPUT ACCEPT [46891:5730774]
:POSTROUTING ACCEPT [65251:15089634]
COMMIT
# Completed on Sat Apr  8 02:03:03 2006
# Generated by iptables-save v1.3.4 on Sat Apr  8
02:03:03 2006
*filter
:INPUT ACCEPT [5310:385325]
:FORWARD ACCEPT [2955:564452]
:OUTPUT ACCEPT [43086:5176570]
:openvpn - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 220.193.98.15 -j DROP
-A INPUT -s 82.127.9.42 -j DROP
-A INPUT -s 82.226.217.40 -j DROP
-A INPUT -s 207.212.29.73 -j DROP
-A INPUT -s 213.154.72.195 -j DROP
-A INPUT -s 221.169.125.102 -j DROP
-A INPUT -s 218.202.223.238 -j DROP
-A INPUT -s 213.175.92.222 -j DROP
-A INPUT -s 210.228.173.152 -j DROP
-A INPUT -s 219.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 220.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 221.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 210.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 211.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 200.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 218.0.0.0/255.0.0.0 -j DROP
-A FORWARD -i tun0 -j openvpn
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
tcp --sport 1024:65535 --dport 25 -m state --state NEW
-j ACCEPT
-A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
tcp --sport 1024:65535 --dport 110 -m state --state
NEW -j ACCEPT
-A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
tcp --sport 1024:65535 --dport 143 -m state --state
NEW -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp
-m tcp --sport 1024:65535 --dport 80 -m state --state
NEW -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection
around 
http://mail.yahoo.com 

nat PREROUTING is ok.
filter FORWARD is ok.

Well, rules sounds good to me.

You said that all was working fine before a reboot. Do you
install
some hardware in this machine? All interfaces (eth0, eth1)
was
correctly configured after reboot?

And try to follow traffic using tcpdump on interfaces eth0
and eth1.



On 4/24/06, Davis Sylvester <dsylvesteriiiyahoo.com> wrote:
>
> For some reason my firewall was working fine until a
> reboot and now none of the DNAT is working.  The most
> important thing is that the e-mail server is not
> receiving mail, it sends just fine.  Also no one can
> access squirrel mail, again works fine internally.
>

> *nat
> :PREROUTING ACCEPT [6384:872118]
> :POSTROUTING ACCEPT [156:10133]
> :OUTPUT ACCEPT [1681:126170]
> -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 25 -j DNAT --to-destination
> 192.168.150.20
> -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 110 -j DNAT
> --to-destination 192.168.150.20
> -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 143 -j DNAT
> --to-destination 192.168.150.20
> -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 80 -j DNAT --to-destination
> 192.168.150.200

> :FORWARD ACCEPT [2955:564452]

> -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
> tcp --sport 1024:65535 --dport 25 -m state --state NEW
> -j ACCEPT
> -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
> tcp --sport 1024:65535 --dport 110 -m state --state
> NEW -j ACCEPT
> -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
> tcp --sport 1024:65535 --dport 143 -m state --state
> NEW -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp
> -m tcp --sport 1024:65535 --dport 80 -m state --state
> NEW -j ACCEPT

Hi Davis,

Are the packet counters on any of the NAT rules
incrementing?  Try running:

watch -d -n 1 iptables -L -vnt nat

Then try making connections to the webserver from outside
your
network.  You should see the packet counters increasing when
you make
the connection.

Also, it doesn't look like you are dropping packets
anywhere in your
firewall (other than those INPUT rules).  Usually, you set
the
filter::INPUT and FORWARD policies to DROP and use rules in
those
chains to allow traffic that meets your security
requirements.  Set
policies with the command:
iptables -P INPUT DROP
iptables -P FORWARD DROP

Don't make this change yet!  Figure out the DNAT problem
first.  If
the counters aren't increasing, try inserting a more
generic rule
like:

iptables -t nat -A PREROUTING -d 1.1.1.25
(Notice no -j TARGET, its just a packet counting rule)
If that matches, make it more complex:
iptables -t nat -A PREROUTING -d 1.1.1.25 -p tcp --dport 25
And so on...

Good Luck!

Matt

On 4/24/06, Davis Sylvester <dsylvesteriiiyahoo.com> wrote:
> Greeting All:
>
> I have what I think is a simple firewall
> configuration.  All our hosts reside on the internal
> side of our network and we punch holes to allow access
> to servers that provide internet-based content (i.e.
> Web servers, e-mail servers, and Database server).
>
> For some reason my firewall was working fine until a
> reboot and now none of the DNAT is working.  The most
> important thing is that the e-mail server is not
> receiving mail, it sends just fine.  Also no one can
> access squirrel mail, again works fine internally.
>
> Here is my configuration any help is appreciated.
> Thanks in advance IPTABLES Gurus.
>
> ------------------------------------------------------
> # Generated by iptables-save v1.3.4 on Sat Apr  8
> 02:03:03 2006
> *raw
> :PREROUTING ACCEPT [69187:15784837]
> :OUTPUT ACCEPT [46891:5730774]
> COMMIT
> # Completed on Sat Apr  8 02:03:03 2006
> # Generated by iptables-save v1.3.4 on Sat Apr  8
> 02:03:03 2006
> *nat
> :PREROUTING ACCEPT [6384:872118]
> :POSTROUTING ACCEPT [156:10133]
> :OUTPUT ACCEPT [1681:126170]
> -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 25 -j DNAT --to-destination
> 192.168.150.20
> -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 110 -j DNAT
> --to-destination 192.168.150.20
> -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 143 -j DNAT
> --to-destination 192.168.150.20
> -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp
> --sport 1024:65535 --dport 80 -j DNAT --to-destination
> 192.168.150.200
> -A POSTROUTING -o lo -j ACCEPT
> -A POSTROUTING -o eth1 -j MASQUERADE
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o eth0 -j ACCEPT
> COMMIT
> # Completed on Sat Apr  8 02:03:03 2006
> # Generated by iptables-save v1.3.4 on Sat Apr  8
> 02:03:03 2006
> *mangle
> :PREROUTING ACCEPT [69187:15784837]
> :INPUT ACCEPT [48202:5793791]
> :FORWARD ACCEPT [18360:9358860]
> :OUTPUT ACCEPT [46891:5730774]
> :POSTROUTING ACCEPT [65251:15089634]
> COMMIT
> # Completed on Sat Apr  8 02:03:03 2006
> # Generated by iptables-save v1.3.4 on Sat Apr  8
> 02:03:03 2006
> *filter
> :INPUT ACCEPT [5310:385325]
> :FORWARD ACCEPT [2955:564452]
> :OUTPUT ACCEPT [43086:5176570]
> :openvpn - [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i tun+ -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j
> ACCEPT
> -A INPUT -i eth0 -j ACCEPT
> -A INPUT -s 220.193.98.15 -j DROP
> -A INPUT -s 82.127.9.42 -j DROP
> -A INPUT -s 82.226.217.40 -j DROP
> -A INPUT -s 207.212.29.73 -j DROP
> -A INPUT -s 213.154.72.195 -j DROP
> -A INPUT -s 221.169.125.102 -j DROP
> -A INPUT -s 218.202.223.238 -j DROP
> -A INPUT -s 213.175.92.222 -j DROP
> -A INPUT -s 210.228.173.152 -j DROP
> -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP
> -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP
> -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP
> -A INPUT -s 210.0.0.0/255.0.0.0 -j DROP
> -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP
> -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP
> -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP
> -A FORWARD -i tun0 -j openvpn
> -A FORWARD -i eth0 -j ACCEPT
> -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
> tcp --sport 1024:65535 --dport 25 -m state --state NEW
> -j ACCEPT
> -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
> tcp --sport 1024:65535 --dport 110 -m state --state
> NEW -j ACCEPT
> -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m
> tcp --sport 1024:65535 --dport 143 -m state --state
> NEW -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth1 -o eth0 -m state --state
> RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp
> -m tcp --sport 1024:65535 --dport 80 -m state --state
> NEW -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -o eth0 -j ACCEPT
> COMMIT
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
protection around
> http://mail.yahoo.com
>
>