RE: Setting up mail server behind iptables firewall
On Thu, 2003-08-14 at 12:34, Daniel L. Miller wrote:
> > > This is really getting frustrating - mainly because I don't really
> > > understand what I'm doing. Using a port scanner from an external
> > > webserver, it shows that ports 25, 80, and 10025 are all closed.
> > >
> > > What am I missing?
> > >
> > > Here's the iptables dump from both my firewall and my
> > internal server.
> > >
> > > *** FIREWALL IPTABLES ***
> > >
> > > > iptables -n -v -L
> >
> > > Chain OUTPUT (policy DROP 0 packets, 0 bytes)
> > > pkts bytes target prot opt in out source
> > > destination
> > > 0 0 ACCEPT all -- * lo 0.0.0.0/0
> > > 0.0.0.0/0
> > > 0 0 ACCEPT all -- * eth0 67.106.235.126
> > > 192.168.69.0/24
> >
> > I _think_ the above rule is not necessary and maybe not
> > valid.. This is your internet ip adress, is it not? I
> > believe your intent here is to ACCEPT and pass email and
> > http? I _believe_ you need to change the source to 0.0.0.0/0
> > - well, really - probably replace this line altogether and
> > substitute lines with source 0.0.0.0/0 and dports 25 and 80.
> > The source for a packet would be wherever it originated, and
> > not your email address.
> Those output lines (and basically everything else that isn't port
> specific) is from the IP-Masquerade HOWTO. I'm not saying they're right
> or wrong - but that's where I got 'em from. I believe the intent is to
> explicitly state what traffic is or is not acceptable to create a
> minimal firewall. So the output lines say that anything can go out on
> eth1, and only packets intended for the 192.168.69.0 DMZ go on eth0.
>
> That part has been working fine - unless it's interfering with my port
> forwarding? I still don't understand all the relationships of the
> different chains - for example, what's the difference between prerouting
> and forward, and if I have prerouting and forward enabled do I need to
> have input or output enabled?
>
> > From what I can gather, eth0 is your internal machine and
> > eth1 is your
> > outside connection..
> Correct.
I just read this posting and it's a bit unclear as to what you're trying to do. From the subject I assume your
running a mail server behind a firewall using a non-routable class C. If this is the case then here is a sample
of what iptables would look like...
# This will forward any request for port 25 (mail) to 10.0.0.5:25 (internal node)
iptables -t nat -A PREROUTING -p tcp -i $IFACE --dport 25 -j DNAT --to-destination 10.0.0.5:25
# Force responses on the LAN back through the firewall
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.5 --dport 25 -j SNAT --to-source 10.0.0.1
# We allow new SMTP connections to be made while also tracking existing ones...
iptables -A FORWARD -p tcp -d 10.0.0.5 --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
# Only allow connections we initiated to be forwarded into the private LAN
iptables -A FORWARD -i $IFACE -o $TRUSTED_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
# Anything is allowed out from the LAN to the WAN
iptables -A FORWARD -i $TRUSTED_IFACE -o $IFACE -j ACCEPT
Of course you would adjust to a class address scheme and fill in the variables with your own data (TRUSTED_IFACE, IFACE).
This will forward all requests on port 25 into the internal node you specify as the mail server and of course allow outbound
connections as well.
--
gaumer <gaumerel@titan.ecs.fullerton.edu>
Reply to: