[Fwd: [suse-security] Redirecting mail (POP3, SMTP) through firewall ...]
Help please ! Is anyone trying to do this, or am I the only one? +----------------+ | Internet Users | <- Need to get mail from private pop3 server +-------+--------+ | +-------+--------+ | | DMZ +----------------+ +-----------------+ | Firewall +-----+ 192.168.1.0/24 +--+ Mail Server | | | +----------------+ | Pvt:192.168.1.3 | +-------+--------+ | Pub:66.8.34.163 | | +-----------------+ +-------+--------+ | 10.0.0.0/24 | <- Pvt user subnet +-------+--------+ | +-------+--------+ | LAN Users | <- Need smtp and pop3 access to mail server in DMZ +----------------+ Can anyone tell me what rules I need to put in place to get this working? Ray Ray Leach wrote:
Hi
Can anyone assist me in redirecting smtp and pop3 through a firewall to a mail server on a private network?
I have been trying to get this right for a few days now.
I'm using iptables and kernel 2.4.10.
These are my rules:
# pop3 forwarding $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp -d $IP_INET_MAIL --dport 110 -j DNAT --to 192.168.1.4:110 $IPTABLES -A INPUT -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INET -p tcp -d $NET_DMZ --dport 110 -j ACCEPT
# smtp forwarding $IPTABLES -t nat -A PREROUTING -i $IFACE_INET -p tcp -d $IP_INET_MAIL --dport 25 -j DNAT --to 192.168.1.4:25 $IPTABLES -A INPUT -i $IFACE_INET -p tcp -d $NET_DMZ --dport 25 -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INET -p tcp -d $NET_DMZ --dport 25 -j ACCEPT
What am I missing?
I have set LOG rules to watch for dropped packets and I used netstat on the mail server to check for incoming connections on these ports, but so far no luck ...
Ray -- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
* Ray Leach wrote on Mon, Nov 12, 2001 at 11:12 +0200:
Help please !
Is anyone trying to do this, or am I the only one?
If you use non-RFC-1819 IPs in the DMZ, then it look like a common setup. You could set up port forwaring on the firewall, i.e. with rinetd or a "firewall" portfw "rule" (I think SuSEfirewall has this capability build-in already). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Ray Leach
-
Steffen Dettmer