IP Firewall config question

lctn · March 27, 2008, 2:53pm

I have a private IP on ether1, and am nating to a public on eth2. I have added several other public IPs to eth2 for servers that need to be accessed from the Internet. This part is working fine. From eth1 I can ping the public IPs, but I cannot access services, specifically telneting to port 25. Public servers can reach port 25 just fine. What do I need to add or change , so private IPs on eth1 can access port 25 on eht2 public IPs?

I am using dst-nat statements for private to public mappings.

jwcn · April 7, 2008, 5:11pm

Post your configuration

lctn · April 7, 2008, 6:04pm

Flags: X - disabled, I -
0 chain=srcnat out-interface=ether2 action=masquerade

1 chain=srcnat out-interface=ether2 action=masquerade

2 chain=dstnat dst-address=pu.bl.ic.6 protocol=tcp dst-port=5900
action=dst-nat to-addresses=10.10.4.70 to-ports=5900

3 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=25
src-address-list=10.10.0.0/16 pu.bl.ic.0/224 action=dst-nat
to-addresses=10.10.4.13 to-ports=25

4 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=22
action=dst-nat to-addresses=10.

5 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=21
action=dst-nat to-addresses=10.10.4.21 to-ports=21

6 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=10000
action=dst-nat to-addresses=10.10.4.21 to-ports=10000

7 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.21 to-ports=80

8 chain=dstnat dst-address=pu.bl.ic.6 protocol=tcp dst-port=9101-9103
action=dst-nat to-addresses=10.10.4.1 to-ports=9101-9103

9 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=143
action=dst-nat to-addresses=10.10.4.13 to-ports=143

10 chain=dstnat dst-address=pu.bl.ic.6 protocol=tcp dst-port=5222-5223
action=dst-nat to-addresses=10.10.4.1 to-ports=5222-5223

11 chain=dstnat dst-address=pu.bl.ic.6 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.1 to-ports=80

12 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=993
action=dst-nat to-addresses=10.10.4.13 to-ports=993

13 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=443
action=dst-nat to-addresses=10.10.4.13 to-ports=443

14 chain=dstnat dst-address=pu.bl.ic.3 protocol=tcp dst-port=7070-7071
action=dst-nat to-addresses=10.10.4.13 to-ports=7070-7071

15 chain=dstnat dst-address=pu.bl.ic.24 protocol=tcp dst-port=25
action=dst-nat to-addresses=10.10.4.11 to-ports=25

16 chain=dstnat dst-address=pu.bl.ic.24 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.11 to-ports=80

17 chain=dstnat dst-address=pu.bl.ic.24 protocol=tcp dst-port=9103
action=dst-nat to-addresses=10.10.4.11 to-ports=9103

18 chain=dstnat dst-address=pu.bl.ic.11 protocol=tcp dst-port=25
action=dst-nat to-addresses=10.10.4.19 to-ports=25

19 chain=dstnat dst-address=pu.bl.ic.18 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.19 to-ports=80

20 chain=dstnat dst-address=pu.bl.ic.11 protocol=tcp dst-port=10000
action=dst-nat to-addresses=10.10.4.19 to-ports=10000

21 chain=dstnat dst-address=pu.bl.ic.18 protocol=tcp dst-port=25
action=dst-nat to-addresses=10.10.4.19 to-ports=25

22 chain=dstnat dst-address=pu.bl.ic.18 protocol=tcp dst-port=10000
action=dst-nat to-addresses=10.10.4.19 to-ports=10000

23 chain=dstnat dst-address=pu.bl.ic.11 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.19 to-ports=80

24 chain=dstnat dst-address=pu.bl.ic.4 protocol=tcp dst-port=25
action=dst-nat to-addresses=10.10.4.19 to-ports=25

25 chain=dstnat dst-address=pu.bl.ic.4 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.19 to-ports=80

26 chain=dstnat dst-address=pu.bl.ic.4 protocol=tcp dst-port=10000
action=dst-nat to-addresses=10.10.4.19 to-ports=10000

27 chain=dstnat dst-address=pu.bl.ic.4 protocol=tcp dst-port=9101
action=dst-nat to-addresses=10.10.4.1 to-ports=9101

28 chain=dstnat dst-address=pu.bl.ic.4 protocol=tcp dst-port=9103
action=dst-nat to-addresses=10.10.4.1 to-ports=9103

29 chain=dstnat dst-address=pu.bl.ic.22 protocol=tcp dst-port=80
action=dst-nat to-addresses=10.10.4.5 to-ports=80

jwcn · April 8, 2008, 3:23am

Try disabling the rules and see if it corrects the issue. If it does bring them back one by one until you find the problem. Any reason for the duplic Masq rule at the beginning?