Re: Mail server behind a firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Nandao.

Comments below.
----- Original Message ----- From: "Fernando Martins" <martinsfernand@xxxxxxxxx> 
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Monday, November 21, 2005 1:10 PM
Subject: Mail server behind a firewall




Hi,

I have been looking for a solution for days and nights and I can't
find any solution to my problem.
I have installed a Mail server behind a firewall , firewall I have
configured very badly with iptables.
I want an exterior smtp server to be able to speak with mine but it is failing. 
 My configuration is:


INTERNET---------------------------------FIREWALL-------------------------------MAIL
SERVEUR
----------------------------------------------eth0-----------eth1-------------------------PrivateIP

eht0 is the public interface with public adress A.


How can I do this?

Nandao
 nervous break down is close
I'm guessing that your eth1 has an IP like 192.168.0.3 or 10.0.0.3 or some such, and you want to forward ports. 

The part of forwarding ports could look like this:
iptables -t nat -A PREROUTING -p TCP -i eth0 -d PublicAddress --dport 25 -J DNAT --to PrivateIP
This tells iptables that if a packet should come in eth0, with a target address of your public IP, to the destination port 25, it should be forwarded to (or re addressed to) PrivateIP.
For the above to work as it is, this firewall must also be the default gateway for the Mail Server, and must be working as a Masquerading NAT firewall. 
(I assume it's already functioning as the internet sharing computer.)
Also, depending on your other firewall rules and policies, you may need to specifically allow the incoming ports, but I'd have to see your specific config to know exactly what you need, but it might look something like this as well: 

iptables -A FORWARD -i eth0 -o eth1 -d MailServerIP -J ACCEPT
This tells iptables that any packet that comes in eth0, and goes out eth1, which has a destination IP of the mail server's private IP, to accept it.
Depending on your other policies, more accept rules may be needed. But hopefully this will get you started. 

-Jesse
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux