# IMAP port forward problem using iptables

## kraaij

Hi, 

I am having a port forwarding problem. I have looked in the forums, but either I am not having the same problem or the post has not been answered.... So maybe one of you can help me.

I want to do the following: a call from SRCIP to IPADDR on port 143 (IMAP) should forward this call to PORTFWIP port 143. I thus should be able to check my IMAP mail on PORTFWIP from SRCIP by using port 143 on machine IPADDR. These three machines are _not_ on the same network.

What I have written is the following script, without any other rules.

```

INTERNET="eth0"           # Internet connected interface

IPADDR="a.b.c.d"

PORTFWIP="e.f.g.h"

SRCIP="i.j.k.l"

FWPORT=143

# Remove any existing rules from all chains

iptables --flush

iptables -t nat --flush

iptables -t mangle --flush

# Unlimited traffic on the loopback interface

iptables -A INPUT  -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

# Set the default policy to accept

iptables --policy INPUT   ACCEPT

iptables --policy OUTPUT  ACCEPT

iptables --policy FORWARD ACCEPT

iptables -t nat -A PREROUTING -i $INTERNET -s ! $SRCIP -p tcp --dport $FWPORT -j DNAT --to $PORTFWIP:$FWPORT

iptables -t nat -A POSTROUTING -o $INTERNET -d $PORTFWIP -j SNAT --to $IPADDR

```

Machine IPADDR has only one ethernet connection (eth0).

What am I doing wrong here? 

Thanks for any help you can give.

Greetings,

Anton.

----------

## Larde

I am not sure if I am getting this right, but you say  *Quote:*   

> I thus should be able to check my IMAP mail on PORTFWIP from SRCIP

 . So SRCIP is the machine where your IMAP client is? Then your rule 

```
iptables -t nat -A PREROUTING -i $INTERNET -s ! $SRCIP -p tcp ...
```

would be wrong, as you say DNAT for connections not coming from SRCIP.

I am trying to recreate the scenario here now, because I am also not so sure about the SNAT rule.

Yours,

Larde.

----------

## Larde

Ok, the POSTROUTING rule doesn't seem to be harmful, as I would have expected, but is not needed either. I did not notice a difference with or without it.  :Smile:  So try the PREROUTING rule like

```
iptables -t nat -A PREROUTING -i $INTERNET -s $SRCIP -p tcp --dport $FWPORT -j DNAT --to $PORTFWIP:$FWPORT
```

and it should work. If I understood that setup correctly.

Yours,

Larde.

----------

## mglauche

a good way to diagnose such problems is to run tcpdump -n -i eth<x> on an interface where the magled packes should go through, and have a look. Sometimes you see that the responses are misguided, or that the packets won't reach the server, etc, etc. Very usefull tool for debugging network problems.

----------

## kraaij

Larde: Thanks for noticing the _NOT_ coming from SRCIP. I tried it again, together with the hint from mglauche to use tcpdump.

It still does not work. I use both lines so, the prerouting and postrouting line are like this:

```

iptables -t nat -A PREROUTING -i $INTERNET -s $SRCIP -p tcp --dport $FWPORT -j DNAT --to $PORTFWIP:$FWPORT

iptables -t nat -A POSTROUTING -o $INTERNET -d $PORTFWIP -j SNAT --to $IPADDR

```

So this is my output from tcpdump -n -i eth0 | grep 143 ( the port i want to forward)

```

tcpdump: listening on eth0

10:25:34.356017 $SRCIP.39321 > IPADDR.143: S 3296135485:3296135485(0) win 5840 <mss 1460,sackOK,timestamp 51903866 0,nop,wscale 0> (DF)

10:25:36.359735 $IPADDR.2417 > $PORTFWIP.143: P 2349194833:2349194843(10) ack 2157659674 win 36200 <nop,nop,timestamp 59780018 12653265> (DF)

10:25:36.360363 $PORTFWIP.143 > $IPADDR.2417: P 1:25(24) ack 10 win 16652 <nop,nop,timestamp 12653415 59780018> (DF)

10:25:36.360420 $IPADDR.2417 > $PORTFWIP.143: . ack 25 win 36200 <nop,nop,timestamp 59780018 12653415> (DF)

10:25:37.343612 $SRCIP.39321 > $IPADDR.143: S 3296135485:3296135485(0) win 5840 <mss 1460,sackOK,timestamp 51904166 0,nop,wscale 0> (DF)

10:25:43.342243 $SRCIP.39321 > $IPADDR.143: S 3296135485:3296135485(0) win 5840 <mss 1460,sackOK,timestamp 51904766 0,nop,wscale 0> (DF)

10:25:51.370308 $PORTFWIP.143 > $IPADDR.2417: P 25:49(24) ack 20 win 16642 <nop,nop,timestamp 12653564 59781519> (DF)

10:25:51.370364 $IPADDR.2417 > $PORTFWIP.143: . ack 49 win 36200 <nop,nop,timestamp 59781519 12653564> (DF)

```

As far as i understand it, the first prerouting rule is now ok: packages from $SRCIP to $IPADDR.143 are forwarded to $PORTFWIP.143. Then, $PORTFWIP responds to $IPADDR and back, but the return packages from $PORTFWIP are not sent back to $SRCIP by $IPADDR. That's why after trying with only the prerouting line, I added the postrouting line. Given the tcpdump output of above.

Any suggestions?

Thanks for the help,

Anton.

EDIT: neglect this post. The output from tcpdump is invalid. I had an imap client running on $IPADDR...  Nothing was forwarded at all. See post below for explanation  :Embarassed: Last edited by kraaij on Thu Oct 17, 2002 2:50 pm; edited 1 time in total

----------

## kraaij

Ok, i have it: I needed to enable ip-forwarding! (duh....  :Wink:  )

This does the trick:

```

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -i $INTERNET -s $SRCIP -p tcp --dport $FWPORT -j DNAT --to $PORTFWIP:$FWPORT

iptables -t nat -A POSTROUTING -o $INTERNET -d $PORTFWIP -p tcp -j SNAT --to $IPADDR

```

Now it works!

Thanks for all the help,

Anton.

----------

