Redirecting mail (POP3, SMTP) through firewall ...
Hi Can anyone assist me in redirecting smtp and pop3 through a firewall to a mail server on a private network? I have been trying to get this right for a few days now. I'm using iptables and kernel 2.4.10. These are my rules: # pop3 forwarding $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp -d $IP_INET_MAIL --dport 110 -j DNAT --to 192.168.1.4:110 $IPTABLES -A INPUT -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j ACCEPT # smtp forwarding $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp -d $IP_INET_MAIL --dport 25 -j DNAT --to 192.168.1.4:25 $IPTABLES -A INPUT -i $IFACE_INET -p tcp -d $NET_DMZ --dport 25 -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INET -p tcp -d $NET_DMZ --dport 25 -j ACCEPT What am I missing? I have set LOG rules to watch for dropped packets and I used netstat on the mail server to check for incoming connections on these ports, but so far no luck ... Ray -- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
On Friday 09 November 2001 06:44, Ray Leach wrote: > Can anyone assist me in redirecting smtp and pop3 through a firewall to > a mail server on a private network? > > I'm using iptables and kernel 2.4.10. > > These are my rules: > I assume that the POP3-clients on the internet send packets to Port 110 of your firewall, and that these packets should be forwarded to your mail server. The packets from the mail server should go out, masqueraded to be from the firewall, port 110. Is this so ? > # pop3 forwarding > $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp -d $IP_INET_MAIL > --dport 110 -j DNAT --to 192.168.1.4:110 Is $IP_INET_MAIL the official IP of the Firewall ? > $IPTABLES -A INPUT -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j > ACCEPT The packets should not go to the firewall directly, so IMHO not needed > $IPTABLES -A FORWARD -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j > ACCEPT > What am I missing? there are some more things you could check: - Is the way back from the mail server opened and masqueraded ? - use tcpdump on your firewall to see the incoming and forwarded packets - use tcpdump on your mailserver to check if the packets get forwarded correctly Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
Hi Thanks for the reply ! Some answers below : Andreas Baetz wrote: > On Friday 09 November 2001 06:44, Ray Leach wrote: > > Can anyone assist me in redirecting smtp and pop3 through a firewall to > > a mail server on a private network? > > > > I'm using iptables and kernel 2.4.10. > > > > These are my rules: > > > I assume that the POP3-clients on the internet send packets to Port 110 of your firewall, > and that these packets should be forwarded to your mail server. The packets from the > mail server should go out, masqueraded to be from the firewall, port 110. Is this so ? No, I'm trying to do reverse masq (incoming) to the mail server. > > > > # pop3 forwarding > > $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp -d $IP_INET_MAIL > > --dport 110 -j DNAT --to 192.168.1.4:110 > Is $IP_INET_MAIL the official IP of the Firewall ? No, of the mail server. This is the IP that will be in the MX record. > > > > $IPTABLES -A INPUT -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j > > ACCEPT > The packets should not go to the firewall directly, so IMHO not needed > I'm attempting to forward the newly mangled packets to the mail server in the DMZ. This allows them to be accepted by the firewall to be passed on. > > > $IPTABLES -A FORWARD -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j > > ACCEPT > > > What am I missing? > there are some more things you could check: > - Is the way back from the mail server opened and masqueraded ? Yes opened, no not masqed. > > - use tcpdump on your firewall to see the incoming and forwarded packets > - use tcpdump on your mailserver to check if the packets get forwarded correctly It's an exchange mail server unfortunately. > > > Andreas Baetz > > ********************************************************************** > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the system manager. > > This footnote also confirms that this email message has been scanned > for the presence of computer viruses. > ********************************************************************** > > -- > To unsubscribe, e-mail: suse-security-unsubscribe@suse.com > For additional commands, e-mail: suse-security-help@suse.com -- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
On Tuesday 13 November 2001 06:05, Ray Leach wrote:
No, I'm trying to do reverse masq (incoming) to the mail server.
Lets see how the packets should go according to your rules: Incoming Packet: client: SRC=client_IP DST=MX_Mailserver_IP on the firewall: SRC=client_IP DST=internal_Mailserver_IP (Prerouting rule) - IMHO this one goes only through the FORWARD chain, not the INPUT (man iptables) - Is the routig on the firewall ok ? - Is forwarding in the kernel enabled ? Mailserver gets this packet and answers: Outgoing Packet: on the mailserver: SRC=internal_Mailserver_IP DST=client_IP - Is the routing on the mailserver ok ? on the firewall: IMHO SRC should now be masqueraded to MX_Mailserver_IP so that the client gets the right answer packet Another solution could be: You could also omit the prerouting rule and work with official IPs all the time, as your mailserver already has one. In this case you only have to allow forwarding of these packets. Plus give your mailserver interface both the internal and official IP adresses (should work on windoze too..) Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
Hi, I haven't got to grips with iptables - on my must do list - but there is an answer for ipchains/mark forward which may work for you. For clarity, internet dev is ppp0, dmz is eth1 ipchains -A input -i ppp0 -d ip_of_ppp0 110 -m 110 -j ACCEPT ipmasqadm mfw -A -m 110 -r ip_of_dmz_host ipchains -A forward -i ppp0 -s ip_of_dmz_host -j MASQ You can choose any mark you wish. I tend to make it meaningful if I can. The last liner may seem a bit strange but it is essential for mfw to work. You can - and should - add other rules to bolt the communications down eg ipchains -A input -i eth1 -s ip_of_dmz_host 110 -d any 1024:65535 -j ACCEPT ipchains -A input -i eth1 -s ip_of_dmz_host -j DENY HTH John
Hi, If your question is just about simple portforwarding from inet to LAN it's done with iptables -t nat -A PREROUTING -j DNAT. I just can't tell you how to do it because I havn't done it before with iptables yet. But I guess it's as simple as -j SNAT --to-source [ip.adress.youwant.tomasq] for the ipchains equivalent -j masq target. If you're not sure how packets traverse the iptables filter take a look at: http://www.knowplace.org/netfilter/ Please take a look at http://netfilter.samba.org/unreliable-guides/NAT-HOWTO to find out how. it's pretty well explained there. HTH Philipp
Hi,
I haven't got to grips with iptables - on my must do list - but there is an answer for ipchains/mark forward which may work for you.
For clarity, internet dev is ppp0, dmz is eth1
ipchains -A input -i ppp0 -d ip_of_ppp0 110 -m 110 -j ACCEPT ipmasqadm mfw -A -m 110 -r ip_of_dmz_host ipchains -A forward -i ppp0 -s ip_of_dmz_host -j MASQ
You can choose any mark you wish. I tend to make it meaningful if I can. The last liner may seem a bit strange but it is essential for mfw to work. You can - and should - add other rules to bolt the communications down eg
ipchains -A input -i eth1 -s ip_of_dmz_host 110 -d any 1024:65535 -j ACCEPT ipchains -A input -i eth1 -s ip_of_dmz_host -j DENY
HTH John
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (4)
-
Andreas Baetz
-
John Trickey
-
Philipp Snizek
-
Ray Leach