email ports forwarding w/ existing local email server.

Discussion:

Sthu Deus

2010-12-07 08:53:07 UTC

Good day.

I have to forward email ports from local net to the whole world. At
the same time I have a local email server that functions too. -
Therefore I have I divide the requests between those coming to the
local one and those that go to the outer one.

Having said that I have:

world's net - 1.1.1.1

local net - 192.168.0.0/24

iptables firewall, w/ running email server - 192.168.0.1

eth0 - the world's net

eth1 the local one.

Here is how I try to accomplish this:

/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp -m multiport
--dports 25,110 -j ACCEPT

/sbin/iptables -t nat -A PREROUTING -s
192.168.0.0/24 -p tcp --dport 25000 -j DNAT --to-destination
______:25

/sbin/iptables -t nat -A POSTROUTING -i eth1 -s
192.168.0.0/24 -j SNAT --to-source=1.1.1.1

My questions are:

1. Is it all correct/safe in any way, or needs additional correction?

2. _______ - what should I use here in case I do not want to limit the
access to a single email server?

Thank You for Your time.

Stephan Balmer

2010-12-07 14:11:20 UTC

Permalink

Post by Sthu Deus
I have to forward email ports from local net to the whole world. At
the same time I have a local email server that functions too. -
Therefore I have I divide the requests between those coming to the
local one and those that go to the outer one.

It is unclear to me what you are trying to accomplish. Do you want
hosts on the internal network to be able to connect to SMTP servers
on the Internet?

In your case it might make sense to configure the existing mailserver as
relay and to configure clients to use the relay.

Post by Sthu Deus
[...]
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp -m multiport
--dports 25,110 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s
192.168.0.0/24 -p tcp --dport 25000 -j DNAT --to-destination
______:25
/sbin/iptables -t nat -A POSTROUTING -i eth1 -s
192.168.0.0/24 -j SNAT --to-source=1.1.1.1
1. Is it all correct/safe in any way, or needs additional correction?

In the first rule you would have to use the INPUT chain instead of the
FORWARD chain if you want it to apply to connections to the local service.

Post by Sthu Deus
2. _______ - what should I use here in case I do not want to limit the
access to a single email server?

The second line does not work because DNAT is supposed to change the
destination address.

The last line could possibly work but since I don't understand what you are
trying to do, I am unable to tell whether it works for you.

Cheers
Stephan

Stephan Balmer

2010-12-08 15:12:20 UTC

Permalink

Post by Stephan Balmer
It is unclear to me what you are trying to accomplish. Do you want
hosts on the internal network to be able to connect to SMTP servers
on the Internet?

Right. - the hosts in the local net already use the local email
service. Now they want to use their email boxes hosted on other
email services - in the Internet. My goal is to save their ability to
use the local email service and let them use the Internet services as
well.

In the usual setup, when clients access the Internet through a masquerading
firewall, the protocols POP, IMAP and SMTP all work. Also many people use
webmail which depends on HTTP only. If you want to allow clients to access
Internet mail services, all you have to do is to configure masquerading and
to allow the corresponding ports. (Don't forget about port 587 for mail
submission.)

Post by Stephan Balmer
In your case it might make sense to configure the existing mailserver
as relay and to configure clients to use the relay.

I am not experienced with this, - even if it possible to relay for
inner boxes and the outer ones - is it not easier to simply forward the
ports directly to the Internet services by iptables?

I recommended setting up a mail relay because I thought you were setting up
mail for an organization and you already had a mailserver running.

Post by Stephan Balmer

Post by Sthu Deus
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp -m
multiport --dports 25,110 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -s
192.168.0.0/24 -p tcp --dport 25000 -j DNAT --to-destination
______:25
/sbin/iptables -t nat -A POSTROUTING -i eth1 -s
192.168.0.0/24 -j SNAT --to-source=1.1.1.1
1. Is it all correct/safe in any way, or needs additional
correction?

In the first rule you would have to use the INPUT chain instead of the
FORWARD chain if you want it to apply to connections to the local service.

Post by Sthu Deus
2. _______ - what should I use here in case I do not want to limit
the access to a single email server?

The second line does not work because DNAT is supposed to change the
destination address.
The last line could possibly work but since I don't understand what
you are trying to do, I am unable to tell whether it works for you.

OK. AFAIK, I can solve my problem in two ways: by NAT and by direct
forward (though I do not know what will work either).

I do not know what you mean by "direct forward".

The NAT solution I have figured out already - You say I need to specify
the destination address - from which I understand I need t ospecify all
the ips they will use - but I think it will be hard to do - for, for
example, google has multiple ips for that - to write them all will be a
hard task.

This is an infeasible task. You do not know all the mail relays on the
Internet, nor does anybody else. While I'm not clear on what you actually
want, I know it is not DNAT.

Another way - as I see it - is simply to forward the requests for 25 or
110 ports - that are not intended for my locale mail service
/sbin/iptables -A FORWARD -p tcp -s 192.168.0.0/24 --dport 25 -d
! 192.168.0.1 -j ACCEPT
- is this OK?

No, because internal addresses (your 192.168) are not routable on the Internet.
You must NAT the source addresses, in iptables this easiest done with the
MASQUERADE target. There is a lot of documentation on this topic, so I won't
repeat it here.

Also, regarding your line above, packets addressed to the host itself do not pass
through the FORWARD chain, but through the INPUT chain only. So in FORWARD you
don't have to make an exception for packets to the host itself. This is a common
misconception.

--
Stephan

Stephan Balmer

2010-12-10 13:16:11 UTC

Permalink

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 --dport 25 -j
SNAT --to-source=MY_FIREWALL_EXTERNAL_IP
That's OK?

Looks alright to me, but it's been a while since I last used the SNAT target.

If yes, is it enough or I have to specify something more?

That depends on what you want. It also depends on what other rules you have
in your iptables.

The command above will enable sending mail via SMTP only, because you
restrict it to port 25. POP, IMAP and mail submission (port 587) will not
work.

Continue reading on narkive:

Search results for 'email ports forwarding w/ existing local email server.' (Questions and Answers)

replies

i am a novice and want to make a site with an independent domaion at min cost.?

started 2007-01-14 07:33:39 UTC

programming & design

replies

How did the the Internet get started?

started 2007-02-11 06:06:14 UTC

trivia

replies

how do i use microsoft outlook w/my yahoo e-mail account?

started 2006-06-07 22:58:45 UTC

internet