Mail Server Behind IPTABLES

Matevz matevz at sloweb.net
Wed Sep 1 20:12:45 CEST 2004


Na 1094056052, 2004-09-01 ob 18:27, je Alistair Tonner napisal(a):
> 	CC;ed the list for consistency.
> 
> 	See inline below
> 
> On September 1, 2004 12:02 pm, Matevz wrote:
> > Na 1094050244, 2004-09-01 ob 16:50, je Alistair Tonner napisal(a):
> > > On August 31, 2004 09:01 pm, Ajen Diwakar wrote:
> > > > Hi All
> > > >
> > > > I am new to IPTABLES usage. I have linux(RH) 9.0.
> > > > The external IP address eth1 is 202.62.x.x
> > > > The internal ip address is 10.0.0.4
> > > >
> > > > My mail server IP address is 10.0.0.10
> > > >
> > > > How do I setup my iptables so that the mail to my record get transfred
> > > > to the mail server.
> > > >
> > > > Any assistance will be appreciated.
> > >
> > > 	iptables -t nat -A PREROUTING -p TCP -i {internet device} -d 202.62.x.x 
> > > \ --dport 25 -j DNAT -to 10.0.0.10
> > >
> > > 	iptables -A FORWARD -p TCP -i {internet device} -d 10.0.0.10 --dport 25 
> > > \ -j ACCEPT
> > >
> > > 	(assuming FORWARD -P DROP )
> > >
> > >
> > > 	Alistair Tonner
> >
> > Hi,
> >
> > I using this for a while and i have a problem.
> > For connctions from outside works just fine, but if i want to access
> > from my LAN dont work.
> 
> 	Because your LAN clients attempt to connect to [publlc IP of mailserver], get 
> connected by reroute through firewall.  Mailserver see's connection from 
> [LANIP] of client and replies *direct* to [LANIP] client.  Client knows NOT 
> of LANIP of mailserver and does not consider the connection valid.
> 
> 	iptables -I PREROUTING -p TCP -i [LAN device] -d [PUBLIC IP mailserver]  \ 
> --dport 25 -j DNAT -to 10.0.0.10
> 	iptables -A FORWARD -p TCP -i [LAN device] -d 10.0.0.10 -s [LAN SEGMENT]   \ 
> --dport 25  -j ACCEPT
> 	iptables -I POSTROUTING -p TCP -i [LAN device] -d 10.0.0.10 -s [LAN SEGMENT]\
>  --dport 25 -j SNAT -to 10.0.0.4
> 
> 	This makes the connection at the mailserver think your firewall is 
> connecting.  Weird, but NOW the replies from the mailserver go back through 
> the firewall, and the client will accept the connection as valid.
> 
> 	A slightly better way to do this is split DNS that tells the clients on the 
> LAN to use the LAN ip of the mailserver.  -- a different topic.
> 
> 	Possibly you want to do the same for port 110 from inside the LAN/??
> 
> 
> >
> > I have also tried without -i.
> >
> > And i was tried this with adding one new rule so it was like -i [eth
> > witch is conncted to LAN]
> >
> > In all cases sharing of internet connction stops working.
> 
> 	iptables -P FORWARD DROP
> 	
> 	iptables -A FORWARD -s [LAN_SEGMENT] -i [LAN_DEVICE] -d 0.0.0.0 -j ACCEPT
> 	iptables -A FORWARD -d [LAN_SEGMENT] -m state --state RELATED,ESTABLISHED  \
> -j ACCEPT
> 
> 	
> 	iptables -A POSTROUTING  -o [INTERNET_DEVICE] -j MASQUERADE 
> 	or
> 	iptables -A POSTROUTING -o [INTERNET_DEVICE] -j SNAT -to [internet address]
> 
> 
> 	keep in mind that you might want to review the ORDER in which the rules 
> load .... it can be critical as to what gets processed when
> 
> iptables -Lnvx 
> iptables -Lnvx -t nat
> iptables -Lnvx -t mangle.
> 
> 
> 
> 	Alistair Tonner

Thank you for ansver, but i think i will give up on this.

iptables -I POSTROUTING -p tcp -i eth0 -d 192.168.2.1 --dport 25 -j SNAT
-to 192.168.2.2

than i get this:

Bad argument `192.168.2.2'



-- 
Lep pozdrav,
Matevz
matevz at sloweb.net




More information about the netfilter mailing list