RE: Setting up mail server behind iptables firewall
> > This is really getting frustrating - mainly because I don't really
> > understand what I'm doing. Using a port scanner from an external
> > webserver, it shows that ports 25, 80, and 10025 are all closed.
> >
> > What am I missing?
> >
> > Here's the iptables dump from both my firewall and my
> internal server.
> >
> > *** FIREWALL IPTABLES ***
> >
> > > iptables -n -v -L
>
> > Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 0 0 ACCEPT all -- * lo 0.0.0.0/0
> > 0.0.0.0/0
> > 0 0 ACCEPT all -- * eth0 67.106.235.126
> > 192.168.69.0/24
>
> I _think_ the above rule is not necessary and maybe not
> valid.. This is your internet ip adress, is it not? I
> believe your intent here is to ACCEPT and pass email and
> http? I _believe_ you need to change the source to 0.0.0.0/0
> - well, really - probably replace this line altogether and
> substitute lines with source 0.0.0.0/0 and dports 25 and 80.
> The source for a packet would be wherever it originated, and
> not your email address.
Those output lines (and basically everything else that isn't port
specific) is from the IP-Masquerade HOWTO. I'm not saying they're right
or wrong - but that's where I got 'em from. I believe the intent is to
explicitly state what traffic is or is not acceptable to create a
minimal firewall. So the output lines say that anything can go out on
eth1, and only packets intended for the 192.168.69.0 DMZ go on eth0.
That part has been working fine - unless it's interfering with my port
forwarding? I still don't understand all the relationships of the
different chains - for example, what's the difference between prerouting
and forward, and if I have prerouting and forward enabled do I need to
have input or output enabled?
> From what I can gather, eth0 is your internal machine and
> eth1 is your
> outside connection..
Correct.
Reply to: