Is it possible TCP redirection keeping the originator's IP address?

1

1

I have multiple Ubuntu hosts, each with more Ubuntu virtual machines. One of the virtual machines is our SMTP server. On the host of the SMTP virtual machine all SMTP calls are redirected to the SMTP VM using rinetd with the following configuration:

aa.bb.cc.dd   25              172.16.1.5      25
aa.bb.cc.dd   465             172.16.1.5      465
aa.bb.cc.dd   587             172.16.1.5      587
aa.bb.cc.dd   993             172.16.1.5      993

aa.bb.cc.dd is the public IP address of the host where the SMTP VM is sitting. 172.16.1.5 is the internal address of the SMTP VM.

My Problem is, that I can not setup relaying on the SMTP VM, because the postfix server on the SMTP VM gets every call with aa.bb.cc.dd as originating IP address, so I can not set any filtering on relaying, but I want to enable relaying for a couple IP addresses only (for our other hosts).

Is there any possibility to forward SMTP calls to the SMTP1 VM so, that the originator's IP address is kept?

Tibor Nagy

Posted 2017-04-03T16:02:25.010

Reputation: 111

Answers

0

You should look into using iptables and the iptables-persistent package - this will let you use NATing, rather than just 'forwarding' the connections by creating a new socket.

Your configuration would look something like this:

-A PREROUTING -d aa.bb.cc.dd -p tcp -m tcp --dport 25  -j DNAT --to-destination 172.16.1.5:25
-A PREROUTING -d aa.bb.cc.dd -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.16.1.5:465
-A PREROUTING -d aa.bb.cc.dd -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.16.1.5:587
-A PREROUTING -d aa.bb.cc.dd -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.16.1.5:993

You'll also need to enable ip_forward. Set the following in /etc/sysctl.conf:

net.ipv4.ip_forward=1

Your host machine will operate like a router, allowing the guests to be accessed, maintaining the true source IP.

Attie

Posted 2017-04-03T16:02:25.010

Reputation: 14 841

Somehow it doesn't work. I tried first to redirect the HTML port, because I could see the source IP in the apache log immediately. It simple timeouts or sometimes I get ERR_NETWORK_CHANGED in the browser. I added also LOG to see, that the rule is reached and it is really reached, but not forwarded. What can be wrong? My nat table looks like: LOG tcp -- 0.0.0.0/0 94.231.88.101 tcp dpt:80 LOG flags 0 level 4 DNAT tcp -- 0.0.0.0/0 94.231.88.101 tcp dpt:80 to:172.16.2.201:80 – Tibor Nagy – 2017-04-04T10:12:50.507

Did you enable ip_forward? Please also check the default / resulting policy for the FORWARD chain, iptables -L. It sounds like this is currently DROP (hence the timeouts). Note: as it's now clear that this is a host on the internet, you should be careful with routing - make sure you firewall it properly otherwise people could access your guest VMs. – Attie – 2017-04-04T10:31:27.213

Yes, cat /proc/sys/net/ipv4/ip_forward returns 1. The filter table has only the basic rules, i.e. INPUT/FORWARD/OUTPUT (policy ACCEPT). I'm puzzled. – Tibor Nagy – 2017-04-04T11:59:16.630

One step forwards. If I add iptables -t nat -A POSTROUTING -j MASQUERADE, then the target system is reached, but of course I lost the original source IP. Somehow, PREROUTING doesn't work between two interfaces. – Tibor Nagy – 2017-04-04T12:17:03.443

I guess, what is the problem. The VM runnig with VirtualBox has a private network, which doesn't allow to connect from an outside IP address. – Tibor Nagy – 2017-04-04T12:50:08.277

Ah, then you'll need to set the VM's routing up accordingly. – Attie – 2017-04-04T12:56:43.290

Asked: 2017-04-03T16:02:25.010

Viewed: 208 times

Active: 2017-04-03T16:17:39.497