RE: Setting up mail server behind iptables firewall
This is really getting frustrating - mainly because I don't really
understand what I'm doing. Using a port scanner from an external
webserver, it shows that ports 25, 80, and 10025 are all closed.
What am I missing?
Here's the iptables dump from both my firewall and my internal server.
*** FIREWALL IPTABLES ***
> iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
903 84552 ACCEPT all -- eth0 * 192.168.69.0/24
0.0.0.0/0
0 0 drop-and-log-it all -- eth1 * 192.168.69.0/24
0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0
67.106.235.126 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
6 644 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
619 290K ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
709 49179 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:25
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.69.2 tcp dpt:25
4 240 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * eth0 67.106.235.126
192.168.69.0/24
900 154K ACCEPT all -- * eth0 192.168.69.0/24
192.168.69.0/24
0 0 drop-and-log-it all -- * eth1 0.0.0.0/0
192.168.69.0/24
6 504 ACCEPT all -- * eth1 67.106.235.126
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain drop-and-log-it (5 references)
pkts bytes target prot opt in out source
destination
10 884 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
> iptables -n -v -t nat -L
Chain PREROUTING (policy ACCEPT 68 packets, 4258 bytes)
pkts bytes target prot opt in out source
destination
2 120 DNAT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:25 to:192.168.0.2:25
1 60 DNAT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:80 to:192.168.0.2:80
1 60 DNAT tcp -- * * 0.0.0.0/0
67.106.235.126 tcp dpt:10025 to:192.168.0.2:25
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
49 2666 SNAT all -- * eth1 0.0.0.0/0
0.0.0.0/0 to:67.106.235.126
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
*** INTERNAL SERVER IPTABLE ***
> iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
13961 2377K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
1998 255K ACCEPT all -- eth0 * 192.168.0.0/24
0.0.0.0/0
0 0 drop-and-log-it all -- eth1 * 192.168.0.0/24
0.0.0.0/0
7474 2121K ACCEPT all -- eth1 * 0.0.0.0/0
192.168.69.2 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
2333 196K drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
13961 2377K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
116 11809 ACCEPT all -- * eth0 192.168.69.2
192.168.0.0/24
2318 709K ACCEPT all -- * eth0 192.168.0.0/24
192.168.0.0/24
0 0 drop-and-log-it all -- * eth1 0.0.0.0/0
192.168.0.0/24
10229 840K ACCEPT all -- * eth1 192.168.69.2
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain drop-and-log-it (5 references)
pkts bytes target prot opt in out source
destination
2333 196K REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
> iptables -n -v -t nat -L
Chain PREROUTING (policy ACCEPT 2672 packets, 228K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 539 packets, 29015 bytes)
pkts bytes target prot opt in out source
destination
272 15327 SNAT all -- * eth1 0.0.0.0/0
0.0.0.0/0 to:192.168.69.2
Chain OUTPUT (policy ACCEPT 811 packets, 44342 bytes)
pkts bytes target prot opt in out source
destination
Thanx for your help,
Daniel
Reply to: