Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] iptables question
  • From: Ferdinand Schmid <fschmid@xxxxxxxxxxxxxx>
  • Date: Fri, 27 Sep 2002 10:40:49 -0600
  • Message-id: <3D948A11.8070003@xxxxxxxxxxxxxx>
GentooRulez wrote:
> The problem is not iptables, but the routing.
> A short excourse.
> The subnet mask connected with an a ip address determines,
> whether another ip should be reachable via the standard gateway
> or directly through a certain nic.
> For example (only 1 NIC in your box)
> means a subnetmask of so if
> the routing part of your kernel has to reach it does
> following:
> own ip AND = 192.168.1
> other ip AND = 192.168.2
> if the results differ the routing routine decides to take the standard
> gateway.
> To be more precious: any box in your network will
> not be routed through your standard gateway according above
> description. For example want to reach mail server.
> and =
> and =
> result DONT differ, so kernel will send packets directly.
> Solution:
> add extra routes for e.g mail server
> route add netmask gw your.ext.ip.addr

Thanks for the info. I am not quite sure if I understand your answer correctly:

Say my network is

on machine I try to establish a connection to world.ip.addr.mailserver

Then the kernel on should route this connection through the default gateway, which happens to by the dmz router. So I would expect my packets to go to the dmz router and get lost there.

NAT is set up on that machine and it routes all packets to the smtp port to the mail server.

iptables -t nat -A PREROUTING -p tcp -d $MailIP --dport 25 -j DNAT --to-destination $dmzMailIP
iptables -t nat -s $dmzMailIP -A POSTROUTING -p tcp --sport 25 -o $extIF -j SNAT --to-source $MailIP

Now I see my problem - it sends the response out the external interface and not back through the dmz interface :)

I still don't know how to fix this though. Your suggestion of specifying routes to certain world addresses would work - but I would prefer configuring everything through the dmz router for maintenance reasons.

BTW: Why you want to do so - logging purposes ?

I would like to create an environment that allows html and server side code to work the same, no matter if it is visited by an outside person or by a developer who gets to the dmz from an internal network. The internal network is connected through a firewall that connects straight into the dmz.

Ferdinand Schmid
Architectural Energy Corporation
Celebrating 20 Years of Improving Building Energy Performance

< Previous Next >