Summary
There is a virtualbox host (1.1.1.5) and a routed guest (1.1.1.6). Something redirects any traffic on port 25 with the guest, whether ingoing or outgoing, to 1.1.1.5 port 2525 and I cannot find out what.
The ips and macs are changed for this post, of course.
Setup
I have the following setup:
- there is a debian root server with IP 1.1.1.5, hosting a virtualbox server
- a second IP (1.1.1.6) is routed to this server
- this second IP is routed to a virtual network interface "virbr1" which is used by a debian virtualbox guest mailserver
- on the root server, iptables is running and configured with ufw
The setup works flawlessly - I can ping the mailserver on 1.1.1.6 and reach its web interface etc, the mailserver can reach the internet, everything is fine, EXCEPT that one port: trying to reach the mailserver on port 25 is not working.
This is not about an ISP blocking port 25 or something like that, its more complex. Read on :)
Diagnosis of the problem
Telnetting from external
When I try to telnet from another server:
telnet 1.1.1.6 25
the connection will timeout. In the syslog of the host system (1.1.1.5), the following message from ip tables appears:
[UFW BLOCK] IN=eth0 OUT= MAC=c8:c8:c8:c8:c8:c8:c8:fe:3d:46:e6:0f:08:00 SRC=2.2.2.5 DST=1.1.1.5 LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=45855 DF PROTO=TCP SPT=64059 DPT=2525 WINDOW=65535 RES=0x00 SYN URGP=0
There is one important thing to note here: I tried to connect to 1.1.1.6 on port 25, but the iptables block happens on 1.1.1.5 on port 2525
Telnetting from the guest box
When I SSH to the mailserver guest and then telnet another server:
telnet 9.9.9.5 25
the connection will timeout as well. Note that all other ports or connections work. In the log of the host system, the following wild messages appear:
[UFW BLOCK] IN=virbr1 OUT= MAC=aa:aa:ab:ac:ad:af:af:ag:ag SRC=1.1.1.6 DST=1.1.1.5 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=3529 DF PROTO=TCP SPT=45250 DPT=2525 WINDOW=14600 RES=0x00 SYN URGP=0
Important to note: the DST should rather be 9.9.9.5, but is the host servers IP. The DPT was expected to be 25, but is 2525.
Assumption
It looks like something on the host system 1.1.1.5 redirects any traffic on port 25 that passes through it to itself on port 2525.
Looking for the cause
I tried the following ways to find the cause for this behavior:
netstat -lnp
on the host shows nothing bound to port 25 or 2525- the config files in
/etc/ufw
, especially before.rules, contain nothing about port 25 except the necessary-A ufw-before-forward -i eth0 -d 1.1.1.6 -p tcp --dport 25 -j ACCEPT
- using
iptables -L -n | grep "25"
shows only the rule mentioned above in the forward chain - even on
ufw logging high
, the syslog contains nothing prior to to the block messages mentioned above that is related to the packets in question - Disabling the firewall with
ufw disable
does not change the problem - No config file mentions a 2525:
egrep -R "2525" /etc
returns nothing.
So now, I'm clueless. How should I diagnose that problem further? What might be the cause?
The solution was quite simple: I did not know that
iptables -L -n
does not show all rules but that you have to specifyiptables -t nat -L
to show the prerouting table. It contained a redirect for port 2525. No idea where it came from, but removing it resolved the problem.So, kids: if you ever try to diagnose iptables routing problems, be advised that there is more then one table and check out the nat table.
Apart from that, sorry for the rather useless question.