Help - Search - Members - Calendar
Full Version: Firewall-->nat--->mail Server
Linuxhelp > Support > Technical Support
Robert83
Hi,

Since my other mail server (bt.alstar.co.yu) was a success , it's been up for 2 weeks and no problems at all , not even one.I will create a mail server for capriolo.co.yu.

First the problems, I have a Linux firewall computer on my public IP adress with the following ip tables rules.

CODE
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-prefix iptables --log-level info
iptables -A drop-and-log-it -j DROP
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -s 0/0 -d 0/0 -j drop-and-log-it
iptables -A POSTROUTING -t nat -s 192.168.10.0/255.255.255.0 -o eth1 -j SNAT --to-source 217.26.69.17
iptables -A FORWARD -s -0/0 -d 0/0 -j drop-and-log-it


and my nat servers iptables looks like this
CODE
iptables -A FORWARD -i eth0 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j DROP
iptables -A FORWARD -i eth0 -o eth2 -j DROP
iptables -A FORWARD -i eth1 -o eth0 -j DROP
iptables -A FORWARD -i eth1 -o eth2 -j DROP
iptables -A FORWARD -i eth2 -o eth0 -j DROP
iptables -A FORWARD -i eth2 -o eth1 -j DROP
iptables -A INPUT -i eth2 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A PREROUTING -t nat -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 3228
iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2
iptables -A POSTROUTING -t nat -s 192.168.2.0/255.255.255.0 -o eth3 -j SNAT --to-source 192.168.10.2


the problem is that my firewall is directly connected to my nat server (and it cannot be reached any other way...only trough the nat server).

What do I need to modify in both iptables rules to forward the necessary ports for a mail server to 192.168.0.200.

(why am I doing it like this? : the central is connected trough wireless to the 3 companies, and the company that will get the mail server often send 10 - 15 MB e-mail localy, so it's not suited for a wireless connection)

Please help me out with this.

Sincerely
Robert B
hughesjr
On the outside firewall you need this as your first INPUT line, place the forward line just after the ...

Replace $EXTIP with your external IP address ... and I think from looking at you iptables commands that 192.168.10.2 is the outside interface of your NAT server...

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d $EXTIP --dport 25 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 -j DNAT --to 192.168.10.2:25


Then on your NAT server, do this ....
iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d 192.168.10.2 --dport 25 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport 25 -j DNAT --to 192.168.0.200:25


That should allow port 25 connections in from everywhere....if you need port 110 in (for POP3) AND/OR port 80 (or 443) in (for squirrelmail) AND/OR 143 in for IMAP, it would be the same ... ie, for 110 and 25 it would be:

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d $EXTIP --dport 25 -j ACCEPT

iptables -A INPUT -i eth1 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d $EXTIP --dport 110 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 -j DNAT --to 192.168.10.2:25
iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 110 -j DNAT --to 192.168.10.2:110


and

iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d 192.168.10.2 --dport 25 -j ACCEPT

iptables -A INPUT -i eth3 -m state --state NEW,ESTABLISHED,RELATED -p tcp -s 0/0 -d 192.168.10.2 --dport 110 -j ACCEPT

iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport 25 -j DNAT --to 192.168.0.200:25
iptables -A PREROUTING -t nat -p tcp -d $192.168.10.2 --dport 110 -j DNAT --to 192.168.0.200:110
Robert83
Thank you very much smile.gif

Sincerely
Robert B
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2017 Invision Power Services, Inc.