Re: iptables forwarding to inside firewall
On Mon, 31 Mar 2003 10:24:15 +1000 Paul Hampson <[EMAIL PROTECTED]> wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: [snip] > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA > > being port forwarded by restrict access through the firewall by > > source address, such that only your MTA in the DMZ can access the > > port redirect. If you can restrict access by way of network > > interface on the firewall[1] then you're much much better off again > > as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? The truely paranoid run differening MTAs on the DMZ and internal networks; hopfully there arn't two zero day exploites. Even on a single ip (most users) you can always use UML virtual servers. Port-forward onto a seperate subnet and do not trust other traffic on that subnet. Defence in depth, and all that. Or just keep on top of the latest patches/updates and run small sites with low bandwidth... Thomas pgp36b0dEor2s.pgp Description: PGP signature
Re: iptables forwarding to inside firewall
On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > [1] If you use the "3 legged firewall" setup, it is possible to > distinguish DMZ traffic from other traffic based on which interface it is > entering the firewall. Just have two different NIC's to two different non-routable LAN's; one is your private LAN, the other is for you public services. Port redirect services into the public net and firewall it so nothing can connect back out from it. Then even if your MTA is hacked, all you've lost is the machine on the public LAN. Your fw and private Lan are still secure. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
Re: iptables forwarding to inside firewall
On Mon, 31 Mar 2003 10:24:15 +1000 Paul Hampson <[EMAIL PROTECTED]> wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: [snip] > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA > > being port forwarded by restrict access through the firewall by > > source address, such that only your MTA in the DMZ can access the > > port redirect. If you can restrict access by way of network > > interface on the firewall[1] then you're much much better off again > > as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? The truely paranoid run differening MTAs on the DMZ and internal networks; hopfully there arn't two zero day exploites. Even on a single ip (most users) you can always use UML virtual servers. Port-forward onto a seperate subnet and do not trust other traffic on that subnet. Defence in depth, and all that. Or just keep on top of the latest patches/updates and run small sites with low bandwidth... Thomas pgp0.pgp Description: PGP signature
Re: iptables forwarding to inside firewall
On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > [1] If you use the "3 legged firewall" setup, it is possible to > distinguish DMZ traffic from other traffic based on which interface it is > entering the firewall. Just have two different NIC's to two different non-routable LAN's; one is your private LAN, the other is for you public services. Port redirect services into the public net and firewall it so nothing can connect back out from it. Then even if your MTA is hacked, all you've lost is the machine on the public LAN. Your fw and private Lan are still secure. -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi On Monday 31 March 2003 02:24, Paul Hampson wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes > > > incoming SMTP traffic from outside the firewall. The below rules are > > > not working. The firewall refuses connections. Any input on what > > > wrong? > > > > If a remote exploit is found in the MTA running on your internal host (as > > has just occured with sendmail again), an attacker may be able to launch > > a direct attack on this box. Depending on your overall security > > structure they may then be able to attack any number of hosts behind your > > firewall. > > > > Some of the alteratives aren't much better. Running an MTA on your > > firewall is just as bad as a remote exploit here may allow an attack > > access to the root on the firewall, allowing the firewall to be > > circumvented again. > > > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA being > > port forwarded by restrict access through the firewall by source address, > > such that only your MTA in the DMZ can access the port redirect. If you > > can restrict access by way of network interface on the firewall[1] then > > you're much much better off again as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? I think so, if only depends how paranoid you are and how much levels of security you think you need. A lot of people could tell a lot o things against proxies, multiplexors , and talk about the virtues of a nated enviroment... Going back to the original thread i think the problem should be in the forward rule of the internal interface, i can't see any rule like that in the rules and if the default policy of the forward hook is DROP the packets will be rejected at this point. A forward rule allowing this traffic should permit incoming traffic to the internal smtp server. Best Regards Victor - -- - -- Marzo Uno de los peores meses para andar metiendo al mundo en guerras absurdas El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU 9/l6t23YWU2Lq3wjyHWjQdg= =uety -END PGP SIGNATURE-
Re: iptables forwarding to inside firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi On Monday 31 March 2003 02:24, Paul Hampson wrote: > On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes > > > incoming SMTP traffic from outside the firewall. The below rules are > > > not working. The firewall refuses connections. Any input on what > > > wrong? > > > > If a remote exploit is found in the MTA running on your internal host (as > > has just occured with sendmail again), an attacker may be able to launch > > a direct attack on this box. Depending on your overall security > > structure they may then be able to attack any number of hosts behind your > > firewall. > > > > Some of the alteratives aren't much better. Running an MTA on your > > firewall is just as bad as a remote exploit here may allow an attack > > access to the root on the firewall, allowing the firewall to be > > circumvented again. > > > > If you have more than 1 static address, an MTA running in a DMZ is > > definately better. This way you could still have your internal MTA being > > port forwarded by restrict access through the firewall by source address, > > such that only your MTA in the DMZ can access the port redirect. If you > > can restrict access by way of network interface on the firewall[1] then > > you're much much better off again as this protects against a spoof. > > I don't quite follow this... Surely if one can break into the > port-forwarded MTA, one can break into DMZ's MTA, which would > then allow the attacker to access the port-forwarding anyway? I think so, if only depends how paranoid you are and how much levels of security you think you need. A lot of people could tell a lot o things against proxies, multiplexors , and talk about the virtues of a nated enviroment... Going back to the original thread i think the problem should be in the forward rule of the internal interface, i can't see any rule like that in the rules and if the default policy of the forward hook is DROP the packets will be rejected at this point. A forward rule allowing this traffic should permit incoming traffic to the internal smtp server. Best Regards Victor - -- - -- Marzo Uno de los peores meses para andar metiendo al mundo en guerras absurdas El resto de meses del mismo tipo son: Enero, Febrero, Abril, Mayo, Junio, Julio, Agosto, Septiembre, Octubre, Noviembre y Diciembre. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+h/RxEzqHF8R72ekRAmbyAJ0RTNIiEzTKyGbJDQ/3IaIpJeffXACeMpVU 9/l6t23YWU2Lq3wjyHWjQdg= =uety -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes incoming > > SMTP traffic from outside the firewall. The below rules are not > > working. The firewall refuses connections. Any input on what wrong? > > If a remote exploit is found in the MTA running on your internal host (as > has just occured with sendmail again), an attacker may be able to launch a > direct attack on this box. Depending on your overall security structure > they may then be able to attack any number of hosts behind your firewall. > > Some of the alteratives aren't much better. Running an MTA on your > firewall is just as bad as a remote exploit here may allow an attack > access to the root on the firewall, allowing the firewall to be > circumvented again. > > If you have more than 1 static address, an MTA running in a DMZ is > definately better. This way you could still have your internal MTA being > port forwarded by restrict access through the firewall by source address, > such that only your MTA in the DMZ can access the port redirect. If you > can restrict access by way of network interface on the firewall[1] then > you're much much better off again as this protects against a spoof. I don't quite follow this... Surely if one can break into the port-forwarded MTA, one can break into DMZ's MTA, which would then allow the attacker to access the port-forwarding anyway? -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgpfki3yR3Sek.pgp Description: PGP signature
Re: iptables forwarding to inside firewall
On Sun, Mar 30, 2003 at 05:23:10PM -0500, Robert Brockway wrote: > On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > > > Working on running a SMTP server inside the firewall that takes incoming > > SMTP traffic from outside the firewall. The below rules are not > > working. The firewall refuses connections. Any input on what wrong? > > If a remote exploit is found in the MTA running on your internal host (as > has just occured with sendmail again), an attacker may be able to launch a > direct attack on this box. Depending on your overall security structure > they may then be able to attack any number of hosts behind your firewall. > > Some of the alteratives aren't much better. Running an MTA on your > firewall is just as bad as a remote exploit here may allow an attack > access to the root on the firewall, allowing the firewall to be > circumvented again. > > If you have more than 1 static address, an MTA running in a DMZ is > definately better. This way you could still have your internal MTA being > port forwarded by restrict access through the firewall by source address, > such that only your MTA in the DMZ can access the port redirect. If you > can restrict access by way of network interface on the firewall[1] then > you're much much better off again as this protects against a spoof. I don't quite follow this... Surely if one can break into the port-forwarded MTA, one can break into DMZ's MTA, which would then allow the attacker to access the port-forwarding anyway? -- --- Paul "TBBle" Hampson, MCSE 6th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] Of course Pacman didn't influence us as kids. If it did, we'd be running around in darkened rooms, popping pills and listening to repetitive music. -- Kristian Wilson, Nintendo, Inc, 1989 This email is licensed to the recipient for non-commercial use, duplication and distribution. --- pgp0.pgp Description: PGP signature
Re: iptables forwarding to inside firewall
On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > Working on running a SMTP server inside the firewall that takes incoming > SMTP traffic from outside the firewall. The below rules are not > working. The firewall refuses connections. Any input on what wrong? There has been quite a bit of discussion on the mechanics of setting up the port redirection to a box inside your firewall. I'd like to mention the potential folly of doing this. By doing a port redirect from from port 25 on your firewall to port 25 on a box inside you are effectively exposing the internal host to the Internet on this port, circumventing your firewall. If a remote exploit is found in the MTA running on your internal host (as has just occured with sendmail again), an attacker may be able to launch a direct attack on this box. Depending on your overall security structure they may then be able to attack any number of hosts behind your firewall. Some of the alteratives aren't much better. Running an MTA on your firewall is just as bad as a remote exploit here may allow an attack access to the root on the firewall, allowing the firewall to be circumvented again. If you have more than 1 static address, an MTA running in a DMZ is definately better. This way you could still have your internal MTA being port forwarded by restrict access through the firewall by source address, such that only your MTA in the DMZ can access the port redirect. If you can restrict access by way of network interface on the firewall[1] then you're much much better off again as this protects against a spoof. [1] If you use the "3 legged firewall" setup, it is possible to distinguish DMZ traffic from other traffic based on which interface it is entering the firewall. This all presupposes you have been allocated a subnet of static addresses by your ISP. If this is for a home setup you may not be able to do much about the security aspect or it may not be worth it to setup a DMZ (this is perfectly valid, it's all about risk assessment), but it's always worth considering the alternatives. Cheers, Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED] ICQ: 104781119 Linux counter project ID #16440 (http://counter.li.org) "The earth is but one country and mankind its citizens" -Baha'u'llah
Re: iptables forwarding to inside firewall
On Fri, 28 Mar 2003, Hanasaki JiJi wrote: > Working on running a SMTP server inside the firewall that takes incoming > SMTP traffic from outside the firewall. The below rules are not > working. The firewall refuses connections. Any input on what wrong? There has been quite a bit of discussion on the mechanics of setting up the port redirection to a box inside your firewall. I'd like to mention the potential folly of doing this. By doing a port redirect from from port 25 on your firewall to port 25 on a box inside you are effectively exposing the internal host to the Internet on this port, circumventing your firewall. If a remote exploit is found in the MTA running on your internal host (as has just occured with sendmail again), an attacker may be able to launch a direct attack on this box. Depending on your overall security structure they may then be able to attack any number of hosts behind your firewall. Some of the alteratives aren't much better. Running an MTA on your firewall is just as bad as a remote exploit here may allow an attack access to the root on the firewall, allowing the firewall to be circumvented again. If you have more than 1 static address, an MTA running in a DMZ is definately better. This way you could still have your internal MTA being port forwarded by restrict access through the firewall by source address, such that only your MTA in the DMZ can access the port redirect. If you can restrict access by way of network interface on the firewall[1] then you're much much better off again as this protects against a spoof. [1] If you use the "3 legged firewall" setup, it is possible to distinguish DMZ traffic from other traffic based on which interface it is entering the firewall. This all presupposes you have been allocated a subnet of static addresses by your ISP. If this is for a home setup you may not be able to do much about the security aspect or it may not be worth it to setup a DMZ (this is perfectly valid, it's all about risk assessment), but it's always worth considering the alternatives. Cheers, Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED] ICQ: 104781119 Linux counter project ID #16440 (http://counter.li.org) "The earth is but one country and mankind its citizens" -Baha'u'llah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think you must chech your default policies. Besides, you should check the traffic from within your mail server with a tool such as snort or tcpdump and try logging your rules with the -j LOG match. Hanasaki JiJi <[EMAIL PROTECTED]> writes: > Working on running a SMTP server inside the firewall that takes > incoming SMTP traffic from outside the firewall. The below rules are > not working. The firewall refuses connections. Any input on what > wrong? > > Thanks, > > internal mailserver = 192.168.1.2 > > > > #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > #-s 0/0 \ > #--dport smtp -j DNAT --to-destination 192.168.1.2:25 > > #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > #-o $NIC_EXTERNAL -d 0/0 -p tcp \ > #-m state --state ESTABLISHED,RELATED -j ACCEPT > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > - -- Andres Roldan CSO, Fluidsignal Group S.A. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+hWHG2OByS7KTlusRAiDGAKCnU+W5O4wF9x4vYpy80dfgHfJ0NwCffy71 89njxxEPMLIzsCR0p44W/XM= =18HH -END PGP SIGNATURE-
Re: iptables forwarding to inside firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think you must chech your default policies. Besides, you should check the traffic from within your mail server with a tool such as snort or tcpdump and try logging your rules with the -j LOG match. Hanasaki JiJi <[EMAIL PROTECTED]> writes: > Working on running a SMTP server inside the firewall that takes > incoming SMTP traffic from outside the firewall. The below rules are > not working. The firewall refuses connections. Any input on what > wrong? > > Thanks, > > internal mailserver = 192.168.1.2 > > > > #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > #-s 0/0 \ > #--dport smtp -j DNAT --to-destination 192.168.1.2:25 > > #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > #-o $NIC_EXTERNAL -d 0/0 -p tcp \ > #-m state --state ESTABLISHED,RELATED -j ACCEPT > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > - -- Andres Roldan CSO, Fluidsignal Group S.A. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+hWHG2OByS7KTlusRAiDGAKCnU+W5O4wF9x4vYpy80dfgHfJ0NwCffy71 89njxxEPMLIzsCR0p44W/XM= =18HH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
> Working on running a SMTP server inside the firewall that takes incoming > SMTP traffic from outside the firewall. The below rules are not > working. The firewall refuses connections. Any input on what wrong? > > Thanks, > > internal mailserver = 192.168.1.2 > > > > #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > #-s 0/0 \ > #--dport smtp -j DNAT --to-destination 192.168.1.2:25 this rule looks fine... you might want to replace the ip with $SMTP_HOST where SMTP_HOST=192.268.1.2 > > #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT I guess you won't need RELATED if you don't wnt your server to start a new connection... there's either a new request for a connection or an established connection > > #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > #-o $NIC_EXTERNAL -d 0/0 -p tcp \ > #-m state --state ESTABLISHED,RELATED -j ACCEPT I'd add a --sport 25to this rule... Are you sure, this is your firewall refusing the connection? I'm really just beginning to work with iptables but from what I know or understand this is correct... Have you tried some extra logging? where don't the packages go through? > There's a great tutorial covering iptables: http://iptables-tutorial.frozentux.net Gruss, Horst.
Re: iptables forwarding to inside firewall
> Working on running a SMTP server inside the firewall that takes incoming > SMTP traffic from outside the firewall. The below rules are not > working. The firewall refuses connections. Any input on what wrong? > > Thanks, > > internal mailserver = 192.168.1.2 > > > > #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > #-s 0/0 \ > #--dport smtp -j DNAT --to-destination 192.168.1.2:25 this rule looks fine... you might want to replace the ip with $SMTP_HOST where SMTP_HOST=192.268.1.2 > > #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT I guess you won't need RELATED if you don't wnt your server to start a new connection... there's either a new request for a connection or an established connection > > #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > #-o $NIC_EXTERNAL -d 0/0 -p tcp \ > #-m state --state ESTABLISHED,RELATED -j ACCEPT I'd add a --sport 25to this rule... Are you sure, this is your firewall refusing the connection? I'm really just beginning to work with iptables but from what I know or understand this is correct... Have you tried some extra logging? where don't the packages go through? > There's a great tutorial covering iptables: http://iptables-tutorial.frozentux.net Gruss, Horst. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
Hanasaki JiJi wrote: Working on running a SMTP server inside the firewall that takes incoming SMTP traffic from outside the firewall. The below rules are not working. The firewall refuses connections. Any input on what wrong? Thanks, internal mailserver = 192.168.1.2 #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ #-s 0/0 \ #--dport smtp -j DNAT --to-destination 192.168.1.2:25 #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ #-o $NIC_EXTERNAL -d 0/0 -p tcp \ #-m state --state ESTABLISHED,RELATED -j ACCEPT The rules theselves look OK (except for the fact that they are commented out) but note that the odrer in which you specify firwewall rules to iptables is important, perhaps you have previously specified another rule that blocks away the incoming packets? Are you sure that the SMTP server can receive incoming traffic from the firewall? perhaps its own firewall blocks out the traffic? I'm not sure about the ":25" you've put after the server's address in the "-to-destination" parmater for the DNAT target, the iptables manpage specifies that this should be a port range (E.g. not a single port), if you want to preform port shifting along with the destination address translation, since you don't want to do that (you want to keep the traffic on port 25) I suggest you remove it.
Re: iptables forwarding to inside firewall
Hanasaki JiJi wrote: Working on running a SMTP server inside the firewall that takes incoming SMTP traffic from outside the firewall. The below rules are not working. The firewall refuses connections. Any input on what wrong? Thanks, internal mailserver = 192.168.1.2 #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ #-s 0/0 \ #--dport smtp -j DNAT --to-destination 192.168.1.2:25 #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ #-o $NIC_EXTERNAL -d 0/0 -p tcp \ #-m state --state ESTABLISHED,RELATED -j ACCEPT The rules theselves look OK (except for the fact that they are commented out) but note that the odrer in which you specify firwewall rules to iptables is important, perhaps you have previously specified another rule that blocks away the incoming packets? Are you sure that the SMTP server can receive incoming traffic from the firewall? perhaps its own firewall blocks out the traffic? I'm not sure about the ":25" you've put after the server's address in the "-to-destination" parmater for the DNAT target, the iptables manpage specifies that this should be a port range (E.g. not a single port), if you want to preform port shifting along with the destination address translation, since you don't want to do that (you want to keep the traffic on port 25) I suggest you remove it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables forwarding to inside firewall
Hi, iptables -t nat -A PREROUTING -p udp -d 130.161.65.18 --dport 2074 -j DNAT --to 192.168.6.2:2074 iptables -t nat -A PREROUTING -p udp -d 130.161.65.18 --dport 2075 -j DNAT --to 192.168.6.2:2075 works nicely to forward external speek freely traffic (uses 2 ports) to my computer inside my firewall. I hope it helps. cheers, joost. Quoting Hanasaki JiJi <[EMAIL PROTECTED]>: > Working on running a SMTP server inside the firewall that takes incoming > SMTP traffic from outside the firewall. The below rules are not > working. The firewall refuses connections. Any input on what wrong? > > Thanks, > > internal mailserver = 192.168.1.2 > > > > #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > #-s 0/0 \ > #--dport smtp -j DNAT --to-destination 192.168.1.2:25 > > #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > #-o $NIC_EXTERNAL -d 0/0 -p tcp \ > #-m state --state ESTABLISHED,RELATED -j ACCEPT -- 1 1 - Support open source software like - Linux (Debian is a nice example) - Apache - PHP - MySQL - Horde and many others...
iptables forwarding to inside firewall
Working on running a SMTP server inside the firewall that takes incoming SMTP traffic from outside the firewall. The below rules are not working. The firewall refuses connections. Any input on what wrong? Thanks, internal mailserver = 192.168.1.2 #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ #-s 0/0 \ #--dport smtp -j DNAT --to-destination 192.168.1.2:25 #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ #-o $NIC_EXTERNAL -d 0/0 -p tcp \ #-m state --state ESTABLISHED,RELATED -j ACCEPT
Re: iptables forwarding to inside firewall
Hi, iptables -t nat -A PREROUTING -p udp -d 130.161.65.18 --dport 2074 -j DNAT --to 192.168.6.2:2074 iptables -t nat -A PREROUTING -p udp -d 130.161.65.18 --dport 2075 -j DNAT --to 192.168.6.2:2075 works nicely to forward external speek freely traffic (uses 2 ports) to my computer inside my firewall. I hope it helps. cheers, joost. Quoting Hanasaki JiJi <[EMAIL PROTECTED]>: > Working on running a SMTP server inside the firewall that takes incoming > SMTP traffic from outside the firewall. The below rules are not > working. The firewall refuses connections. Any input on what wrong? > > Thanks, > > internal mailserver = 192.168.1.2 > > > > #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > #-s 0/0 \ > #--dport smtp -j DNAT --to-destination 192.168.1.2:25 > > #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > > #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > #-o $NIC_EXTERNAL -d 0/0 -p tcp \ > #-m state --state ESTABLISHED,RELATED -j ACCEPT -- 1 1 - Support open source software like - Linux (Debian is a nice example) - Apache - PHP - MySQL - Horde and many others... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
iptables forwarding to inside firewall
Working on running a SMTP server inside the firewall that takes incoming SMTP traffic from outside the firewall. The below rules are not working. The firewall refuses connections. Any input on what wrong? Thanks, internal mailserver = 192.168.1.2 #$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ #-s 0/0 \ #--dport smtp -j DNAT --to-destination 192.168.1.2:25 #$PROG -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ #-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ #-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$PROG -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ #-o $NIC_EXTERNAL -d 0/0 -p tcp \ #-m state --state ESTABLISHED,RELATED -j ACCEPT -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]