Re: [masq] IP Port Forwarding

Tue, 2 Feb 1999 00:05:58 -0500 

On 1 Feb 99, at 12:39, Chris Y. wrote about
    "[masq] IP Port Forwarding":

| I am hoping that someone can help me out on what I might do in order to
| fix this situation.

I hope someone knowledgeable will jump in here, because I'd like to 
do the same kind of setup while migrating from ISDN to DSL.

| I have a firewall with 3 NIC's in it.
| 
| Eth0 -> Is a high speed (dhcp based) cable modem connection (24.x.x.x)
| Eth1 -> ISDN Link (139.143.42.x)
| Eth2 -> Internal Lan (10.x.x.x)
| 
| Eth0 is my default gateway for my firewall (masq) so that the desktops get
| high speed net access.
| 
| Eth1 is the IP address of my current mail server (which is moved to
| 10.0.0.3).
| 
| I have setup port forwarding on my eth1 interface for ports 25 & 110 (smtp
| & pop3) -> 10.0.0.3
| 
| ipportfw -A -t 139.143.42.228/25 -R 10.0.0.3/25
| and the same for 110

Port forwarding initializes a masq table entry for the reply...

| Now what happens (or seems to) is that the packet is passed through to the
| mail server, but when the mailserver responds it sends it out the
| firewalls default gw which of course is not a valid response to the
| previous query.

It seems to me it should not matter that the reply reaches the 
external client via different route.  So if it doesn't work, it 
implies that the reply is being masqueraded with the IP associated 
with eth0, and the client sees an unexpected source IP.  But 
shouldn't the masquerade entry set up by IPPORTFW cause the correct 
source address to be filled in?

Another possibility is that masquerading is doing all it can, but 
your ISP (or an upstream router) is dropping the packets because they 
appear to be spoofed (technically, they *are* spoofed).

| So I would like all items that are forwarded through the eth1 device to go
| back out that device masq as 139.143.42.228.

As for actually routing the masqueraded reply through the eth1 
interface, is that even possible?  Can the masquerade logic override 
the default route?

|...

- Fred Viles <mailto:[EMAIL PROTECTED]>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to