Re: email ports forwarding w/ existing local email server.
> > It is unclear to me what you are trying to accomplish. Do you want
> > hosts on the internal network to be able to connect to SMTP servers
> > on the Internet?
> Right. - the hosts in the local net already use the local email
> service. Now they want to use their email boxes hosted on other
> email services - in the Internet. My goal is to save their ability to
> use the local email service and let them use the Internet services as
In the usual setup, when clients access the Internet through a masquerading
firewall, the protocols POP, IMAP and SMTP all work. Also many people use
webmail which depends on HTTP only. If you want to allow clients to access
Internet mail services, all you have to do is to configure masquerading and
to allow the corresponding ports. (Don't forget about port 587 for mail
> > In your case it might make sense to configure the existing mailserver
> > as relay and to configure clients to use the relay.
> I am not experienced with this, - even if it possible to relay for
> inner boxes and the outer ones - is it not easier to simply forward the
> ports directly to the Internet services by iptables?
I recommended setting up a mail relay because I thought you were setting up
mail for an organization and you already had a mailserver running.
> > > Here is how I try to accomplish this:
> > >
> > > /sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp -m
> > > multiport --dports 25,110 -j ACCEPT
> > >
> > > /sbin/iptables -t nat -A PREROUTING -s
> > > 192.168.0.0/24 -p tcp --dport 25000 -j DNAT --to-destination
> > > ______:25
> > >
> > > /sbin/iptables -t nat -A POSTROUTING -i eth1 -s
> > > 192.168.0.0/24 -j SNAT --to-source=126.96.36.199
> > >
> > > My questions are:
> > >
> > > 1. Is it all correct/safe in any way, or needs additional
> > > correction?
> > In the first rule you would have to use the INPUT chain instead of the
> > FORWARD chain if you want it to apply to connections to the local
> > service.
> > > 2. _______ - what should I use here in case I do not want to limit
> > > the access to a single email server?
> > The second line does not work because DNAT is supposed to change the
> > destination address.
> > The last line could possibly work but since I don't understand what
> > you are trying to do, I am unable to tell whether it works for you.
> OK. AFAIK, I can solve my problem in two ways: by NAT and by direct
> forward (though I do not know what will work either).
I do not know what you mean by "direct forward".
> The NAT solution I have figured out already - You say I need to specify
> the destination address - from which I understand I need t ospecify all
> the ips they will use - but I think it will be hard to do - for, for
> example, google has multiple ips for that - to write them all will be a
> hard task.
This is an infeasible task. You do not know all the mail relays on the
Internet, nor does anybody else. While I'm not clear on what you actually
want, I know it is not DNAT.
> Another way - as I see it - is simply to forward the requests for 25 or
> 110 ports - that are not intended for my locale mail service
> (192.168.0.1) - same as gateway and firewall too:
> /sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -d
> ! 192.168.0.1 -j ACCEPT
> - is this OK?
No, because internal addresses (your 192.168) are not routable on the Internet.
You must NAT the source addresses, in iptables this easiest done with the
MASQUERADE target. There is a lot of documentation on this topic, so I won't
repeat it here.
Also, regarding your line above, packets addressed to the host itself do not pass
through the FORWARD chain, but through the INPUT chain only. So in FORWARD you
don't have to make an exception for packets to the host itself. This is a common