Re: port forward to MS Exchange IMAP
> Maybe, I'm missing something but shouldn't you also mark (-m 1) packets
> without the SYN flag set, else only connection initiation will be
forwarded
> inside. E.g.:
> ipchains -A input -p tcp -d 208.145.27.210/32 143 -m 1
No mfw sets up forwarding based on initial connections. I do tunnel imap,
this is segments of the code I use to set it up. I read the HOWTOs
carefully and picked up the ip_masq modules :
depmod -a
modprobe ip_masq_ftp
# Initialise chains and forwarding
ipchains -F input
ipchains -F forward
ipchains -P forward DENY
ipchains -F output
ipmasqadm autofw -F
ipmasqadm portfw -f
ipmasqadm mfw -F
# Enable Anti-Spoof protection - sets source route verification
for f in all default eth0 lo
do
echo 1 > /proc/sys/net/ipv4/conf/$f/rp_filter
done
# Disable on internal interfaces, as we can have asymmetric routing
for f in eth1 eth2
do
echo 0 > /proc/sys/net/ipv4/conf/$f/rp_filter
done
#
# MASQ timeouts
#
# 2 hrs timeout for TCP sessions
# 10 sec timeout for traffic after the TCP/IP "FIN" packet is received
# 160 sec timeout for UDP traffic (Important for MASQ'ed ICQ users)
ipchains -M -S 7200 10 160
# Forward wye's Perimeter net imap2 port onto phoenix in server net
phoenix=10.243.1.10
phoenix_host=${phoenix}/32
wye_180=
wye_180_host=${wye_180}/32
# Redirect imap to phoenix's imap2 port
ipchains -A forward -p tcp -s $phoenix_host imap2 -d ! $perimeter_net -j
MASQ
ipchains -A input -p tcp -y -d $wye_180_host imap2 -m 143
ipmasqadm mfw -A -m 143 -r $phoenix imap2
Perhaps something there was missing in the original questioners script.
Sure if he checks over it, there'll be a mistake, usually I screwed up the
ports, and the mark numbers. Other possibilities are the rule chains, hosts
and masks, and loading the modules.
Rob
Reply to: