[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iptables & incoming smtp

To: silug-discuss@silug.org
Subject: Re: iptables & incoming smtp
From: Travis Owens <openbook@linuxmds.com>
Date: 29 Mar 2003 19:59:51 -0600
In-Reply-To: <1048980531.2670.34.camel@lnx2k>
Organization: Linux MDs
Organization: Southern Illinois Linux Users Group
References: <1048980531.2670.34.camel@lnx2k>
Reply-To: silug-discuss@silug.org
Sender: silug-discuss-owner@silug.org

On Sat, 2003-03-29 at 17:28, Dan Fleischer wrote:
> I'm having trouble with our web/email server receiving SMTP port 25
> traffic when it's behind an iptables firewall.
> 
> We are currently using a Sonicwall 3-nic firewall that I want to replace
> with iptables so that I can start to use FreeS/WAN.  Currently, the 3
> nic's have the following addresses:
> WAN port: 63.252.12.11
> LAN port: 192.168.1.1
> DMZ port: NAT not enabled, but forwards packets to web/email server
> (running Ipswitch's IMail 7.15) with address of 63.252.12.39
> 
> Currently our ISP is scanning our email for viruses and spam, and they
> send all our mail from a server with address 63.252.12.229.
> 
> I set up a 3-nic iptables box on RH7.3 kernel 2.4.18-27.7.x with the
> following addresses:
> WAN port: 63.252.12.39
> LAN port: 192.168.1.1
> DMZ port: 192.168.200.1
> 
> I DNAT incoming ports 25, 80, & 110 to the web/email server with an IP
> address of 192.168.200.2
> 

Dan,

The DNAT line is going to change the "source" and "destination" IP
addresses when each packet comes through the firewall. This happens
*before* the packet is injected into the "INPUT" "FORWARD" and "OUTPUT"
default chains.

The key here, is now, the packet is to be "FORWARDED" from the
"firewall" to the "web/email" server. You must set an implicit "FORWARD"
rule for these packets.

Something like the following should work:

IPTABLES="/sbin/iptables"

WAN_IF="eth0"
LAN_IF="eth1"
DMZ_IF="eth2"

WAN_IP="63.252.12.39"
LAN_IP="192.168.1.1"
DMZ_IP="192.168.200.1"

$IPTABLES -A PREROUTING -i $WAN_IF -d $WAN_IP --dport 25  -j DNAT --to $MAIL # SMTP
$IPTABLES -A PREROUTING -i $WAN_IF -d $WAN_IP --dport 110 -j DNAT --to $MAIL # POP3
$IPTABLES -A PREROUTING -i $WAN_IF -d $WAN_IP --dport 143 -j DNAT --to $MAIL # IMAP

$IPTABLES -A FORWARD -i $WAN_IF -o $DMZ_IF -d $MAIL --dport 25  -j ACCEPT 
$IPTABLES -A FORWARD -i $WAN_IF -o $DMZ_IF -d $MAIL --dport 110 -j ACCEPT 
$IPTABLES -A FORWARD -i $WAN_IF -o $DMZ_IF -d $MAIL --dport 143 -j ACCEPT 

I hope that helps... if you need anymore help, contact me off-list.

-- 
Travis
St. Charles LUG
http://www.sluug.org/~stclug/

Indifference:
It Takes 43 muscles to Frown and 17 to Smile, But It Doesn't Take Any To
Just Sit There With A Dumb Look On Your Face. 

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

References:
- iptables & incoming smtp
  - From: Dan Fleischer <dan.fleischer@bank-and-trust.com>

Prev by Date: Re: iptables & incoming smtp
Next by Date: Re: [DISCUSS] MDK9.1 CD1 - no good burn yet
Prev by thread: iptables & incoming smtp
Next by thread: Re: iptables & incoming smtp
Index(es):
- Date
- Thread