Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Firewall-->nat--->mail Server, question, how to do this...
Robert83
post Jun 15 2004, 08:44 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

Since my other mail server (bt.alstar.co.yu) was a success , it's been up for 2 weeks and no problems at all , not even one.I will create a mail server for capriolo.co.yu.

First the problems, I have a Linux firewall computer on my public IP adress with the following ip tables rules.

CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 217.26.69.17
iptables -A FORWARD -s -0/0 -d 0/0 -j drop-and-log-it


and my nat servers iptables looks like this
CODE
iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2


the problem is that my firewall is directly connected to my nat server (and it cannot be reached any other way...only trough the nat server).

What do I need to modify in both iptables rules to forward the necessary ports for a mail server to 192.168.0.200.

(why am I doing it like this? : the central is connected trough wireless to the 3 companies, and the company that will get the mail server often send 10 - 15 MB e-mail localy, so it's not suited for a wireless connection)

Please help me out with this.

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Jun 15 2004, 01:37 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



On the outside firewall you need this as your first INPUT line, place the forward line just after the ...

Replace $EXTIP with your external IP address ... and I think from looking at you iptables commands that 192.168.10.2 is the outside interface of your NAT server...

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d $EXTIP --dport 25 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 -j DNAT --to 192.168.10.2:25


Then on your NAT server, do this ....
iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d 192.168.10.2 --dport 25 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport 25 -j DNAT --to 192.168.0.200:25


That should allow port 25 connections in from everywhere....if you need port 110 in (for POP3) AND/OR port 80 (or 443) in (for squirrelmail) AND/OR 143 in for IMAP, it would be the same ... ie, for 110 and 25 it would be:

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d $EXTIP --dport 25 -j ACCEPT

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d $EXTIP --dport 110 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 -j DNAT --to 192.168.10.2:25
iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 110 -j DNAT --to 192.168.10.2:110


and

iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d 192.168.10.2 --dport 25 -j ACCEPT

iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d 192.168.10.2 --dport 110 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport 25 -j DNAT --to 192.168.0.200:25
iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport 110 -j DNAT --to 192.168.0.200:110


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Jun 15 2004, 01:59 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Thank you very much smile.gif

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 19th October 2017 - 10:30 PM