Page 1 of 1
Redirect Port 25 - > 2525 - easy ?
Posted: Fri Jun 30, 2006 12:46 am
by jo2jo
Since the isp i use blocks port 25, i wanted to foward all traffic going out on port 25 to 2525.
I can get this to work with a nat rule with action netmap -> an IP addy and port 2525. (works for me but not for clients that may go to ANY smtp server.)
If i set the action to redirect and the port to 2525 it does not go through at all.
Any ideas? tks
Posted: Fri Jun 30, 2006 9:36 am
by cmit
Action "redirect" always redirects to the local router itself - you have to use action "dst-nat" for that...
Please read the manual
...
Best regards,
Christian Meis
Posted: Wed Jul 05, 2006 9:26 am
by jo2jo
Thanks for the response, but i have a folow up question (ive read the manual too):
I have a nat rule that i can see grabs the clients port 25 smtp packets (I have the rule's action set to ("redirect" or dst-nat or src-nat) and the port value: 2525)
Do i need to set up rules to accept and re direct the packets coming back on port 2525?
I ask because i still cant get mail clients that are set to default of port 25 to be redirected to 2525 (if ever i manully set the client to use 2525 it works, mail sends)
tks..
joe
Posted: Wed Jul 05, 2006 9:35 am
by cmit
As long as connection-tracking is enabled (which it is by default), there's usually no need to configure the "reverse route".
Perhaps post your complete ip address config, ip routing and nat config?
Best regards,
Christian Meis
Posted: Fri Jul 07, 2006 8:47 am
by jo2jo
ok here are some configs,
tell me what u think.
tks
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; added by setup
192.168.5.1/24 192.168.5.0 192.168.5.255 ether1
1 192.168.5.254/32 192.168.5.0 192.168.5.0 ether1
2 D My_PublicIP_addy/32 68.x.x.x 0.0.0.0 pppoe-out1
3 D 12.217.x.x/22 12.217.156.0 12.x.x.x ether3
4 D 192.168.5.251/32 192.168.5.252 0.0.0.0 fromlaptop
# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE
0 ADC 12.x.x.0/22 12.217.x.x ether3
1 ADC 68.x.x.69/32 My_PublicIP_addy pppoe-out1
2 ADC 192.168.5.0/32 192.168.5.254 ether1
3 ADC 192.168.5.252/32 192.168.5.251 fromlaptop
4 ADC 192.168.5.0/24 192.168.5.1 ether1
5 A S 0.0.0.0/0 r 68.x.x.x 1 pppoe-out1
1 X ;;; EMAIL
chain=dstnat src-address=192.168.5.0/24 protocol=tcp dst-port=25
action=netmap to-addresses=64.151.x.x to-ports=2525
7 ;;; sw smtp 2600->161
chain=dstnat dst-address=My_PublicIP_addy protocol=udp dst-port=2600
action=netmap to-addresses=192.168.5.2 to-ports=161
8 ;;; sw web
chain=dstnat dst-address=My_PublicIP_addy protocol=tcp dst-port=2685
action=netmap to-addresses=192.168.5.2 to-ports=80
9 chain=srcnat out-interface=ether3 action=masquerade
10 chain=srcnat out-interface=pppoe-out1 action=masquerade
11 ;;; sw web
chain=dstnat dst-address=My_PublicIP_addy protocol=tcp dst-port=2680
action=netmap to-addresses=192.168.5.11 to-ports=80
12 ;;; Xchange VNC 5906
chain=dstnat dst-address=My_PublicIP_addy protocol=tcp dst-port=239
;;; Xchange RDC
chain=dstnat dst-address=My_PublicIP_addy protocol=tcp dst-port=2390
action=netmap to-addresses=192.168.5.239 to-ports=3389
14 ;;; CABLEsw smtp 2600->161
chain=dstnat dst-address=My_PublicIP_addy protocol=udp dst-port=2600
action=netmap to-addresses=192.168.5.2 to-ports=161
[/code]
Posted: Fri Jul 07, 2006 8:57 am
by cmit
If you actually want all your clients' outgoing SMTP traffic to the server 64.151.x.x, your first dst-nat rule should read like this:
1 X ;;; EMAIL
chain=dstnat src-address=192.168.5.0/24 protocol=tcp dst-port=25
action=dst-nat to-addresses=64.151.x.x to-ports=2525
(and then, of course, not disabled
)
Best regards,
Christian Meis
Posted: Fri Jul 07, 2006 9:21 am
by jo2jo
aaa..sorry that was one last thing i was testing before i posted the config..
what i want is still to redirect (i use the divert action on my bsd ipfw firewalls) all requests on tcp port 25 to 2525.
tks
jo
Posted: Fri Jul 07, 2006 9:43 am
by cmit
I'm not sure I understand what you want to achieve. If your want to dst-nat every outgoing SMTP connection so that just the dst-port is changed to 2525 (and the destination address is leaved unchanged), you would have to use
1 ;;; EMAIL
chain=dstnat src-address=192.168.5.0/24 protocol=tcp dst-port=25
action=dst-nat to-addresses=0.0.0.0/0 to-ports=2525
But this will obviously not work most of the time, because a standard SMTP server "somewhere on the internet" will not listen on port 2525.
So I'm not clear about what you really want...
Best regards,
Christian Meis
Posted: Fri Jul 07, 2006 6:16 pm
by jo2jo
cmit,
Thanks it works great.
The reason wanted to do this is my ISP BLOCK port 25 outgoing. So allowing my customers to use port 25 for smtp is pointless as their packet will get dropped anyway.
Some smtp servers support 2525 so its worth a shot..lets put it this way ive gotten 2 support calls from ppl who could not send email, and one of them was resovled by switching the client port to 2525..so i guess this would have fixed that before they called.
Thanks again for the quick responses.
jo!
Posted: Sun Nov 05, 2006 6:30 pm
by juibar
cmit,
I am trying to use the firewall rule you suggested, but my outlook client will not send emails.
I even edited the rule to "redirect" from port 25 to port 25 and still outlook will not send emails. Below are my rules.
0 ;;; masquerade hotspot network
chain=srcnat src-address=192.168.0.0/24 action=masquerade
1 ;;; SMTP port redirect
chain=dstnat protocol=tcp dst-port=25 action=dst-nat
to-addresses=0.0.0.0 to-ports=25
2 ;;; masquerade for private network
chain=srcnat src-address=192.168.1.0/24 action=masquerade
While troubleshooting I only see the counters increasing.
What can be wrong? How can I troubleshoot?
Thanks,
juibar
Posted: Sun Nov 05, 2006 6:53 pm
by jo2jo
well its not exatly what you want but i can tell you what i did to resolve this issue for me.
the isp's line i was sharing with these clients has a Mail server they allow local customers to use...so i did this nat rule:
5 ;;; EMAIL
chain=dstnat src-address=192.168.5.0/24 protocol=tcp dst-port=25
action=netmap to-addresses=70.xx.xx.xxx to-ports=25
works great and fowards any clients out going mail request to our local server..reguardless of end client server or user id / pass settings
Posted: Mon Nov 06, 2006 6:26 am
by juibar
I put a non-zero IP address in the field "To Addresses" and this time it worked, but what I really need is to change the port in the IP packet leaving the IP address unchanged.
I will appreciate your help.
juibar