Hi!
I'm sure this is covered SOMEWHERE - but I haven't found anything
obvious in the archives / howto's. I'm using Debian Linux with the 2.4
kernel.
I currently have the following configuration:
(please comment if you find this arrangement objectionable in itself!)
Internal LAN - 192.168.0.30 through 192.168.0.50
Dual-Homed Gateway (is that the right term?) -
two NIC's - 192.168.0.1 and 192.168.69.2
Dual-Homed Firewall (again, whatcha call it?) -
two NIC's - 192.168.69.1 and Internet Static IP
My physical connections are workstations to switch, switch to Gateway,
Gateway to Firewall, Firewall to Internet. Should I re-route this and
run the switch directly to the Firewall, and hang the Gateway/Server off
the switch? I value your experience.
The gateway is set up with entries in the routing table and has
forwarding enabled.
I've setup iptables on the firewall with sourceNAT and a reject anything
from the outside that isn't the result of a connection. Works fine.
(Actually, I also have the same iptables script running on the gateway
server - probably overkill)
Postfix is running on the gateway server - works fine.
What do I need to set on the firewall/gateway to make my Postfix server
available to the internet? I've tried:
iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth1 -j DNAT --to
192.168.69.2:25
BTW - eth1 of the firewall (and gateway too) is the
"dangerous" side (internet/dmz) - eth0 is the "safe" (dmz/internal
LAN).
And variations of the same - but no go. What am I missing?
This is really getting frustrating - mainly because I don't really
understand what I'm doing. Using a port scanner from an external
webserver, it shows that ports 25, 80, and 10025 are closed (see below).
What am I missing?
Here's the iptables dump from both my firewall and my internal server.
*** FIREWALL IPTABLES ***
> iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
903 84552 ACCEPT all -- eth0 * 192.168.69.0/24
0.0.0.0/0
0 0 drop-and-log-it all -- eth1 * 192.168.69.0/24
0.0.0.0/0
0 0 ACCEPT all -- eth1 * 0.0.0.0/0
67.106.235.126 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
6 644 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
619 290K ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
709 49179 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:25
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.69.2 tcp dpt:25
4 240 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT all -- * eth0 67.106.235.126
192.168.69.0/24
900 154K ACCEPT all -- * eth0 192.168.69.0/24
192.168.69.0/24
0 0 drop-and-log-it all -- * eth1 0.0.0.0/0
192.168.69.0/24
6 504 ACCEPT all -- * eth1 67.106.235.126
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain drop-and-log-it (5 references)
pkts bytes target prot opt in out source
destination
10 884 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
> iptables -n -v -t nat -L
Chain PREROUTING (policy ACCEPT 68 packets, 4258 bytes)
pkts bytes target prot opt in out source
destination
2 120 DNAT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:25 to:192.168.0.2:25
1 60 DNAT tcp -- eth1 * 0.0.0.0/0
67.106.235.126 tcp dpt:80 to:192.168.0.2:80
1 60 DNAT tcp -- * * 0.0.0.0/0
67.106.235.126 tcp dpt:10025 to:192.168.0.2:25
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
49 2666 SNAT all -- * eth1 0.0.0.0/0
0.0.0.0/0 to:67.106.235.126
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
*** INTERNAL SERVER IPTABLE ***
> iptables -n -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
13961 2377K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
1998 255K ACCEPT all -- eth0 * 192.168.0.0/24
0.0.0.0/0
0 0 drop-and-log-it all -- eth1 * 192.168.0.0/24
0.0.0.0/0
7474 2121K ACCEPT all -- eth1 * 0.0.0.0/0
192.168.69.2 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
1 60 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
2333 196K drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
13961 2377K ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
116 11809 ACCEPT all -- * eth0 192.168.69.2
192.168.0.0/24
2318 709K ACCEPT all -- * eth0 192.168.0.0/24
192.168.0.0/24
0 0 drop-and-log-it all -- * eth1 0.0.0.0/0
192.168.0.0/24
10229 840K ACCEPT all -- * eth1 192.168.69.2
0.0.0.0/0
0 0 drop-and-log-it all -- * * 0.0.0.0/0
0.0.0.0/0
Chain drop-and-log-it (5 references)
pkts bytes target prot opt in out source
destination
2333 196K REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
> iptables -n -v -t nat -L
Chain PREROUTING (policy ACCEPT 2672 packets, 228K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 539 packets, 29015 bytes)
pkts bytes target prot opt in out source
destination
272 15327 SNAT all -- * eth1 0.0.0.0/0
0.0.0.0/0 to:192.168.69.2
Chain OUTPUT (policy ACCEPT 811 packets, 44342 bytes)
pkts bytes target prot opt in out source
destination
Ports 25 and 80 are of course for SMTP and HTTP - I tried 10025 just to
be different.
Thanx for your help,
Daniel
