• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 566
  • Last Modified:

Using IPtables to relay mail

I was previously using Ipchains to relay messages from my Linux machine to my Exchange server and vise-versa.  Now I would like to use Iptables to accomplish the same function.  I would like help inorder to accomplish this task.
Thinks to know.  My linux machine has one Network card. Mial coming into my network would first go to the Linux  machine and then relayed to my Exchange server which is on my inTRAnet.  Mail going out with go to my exchange server and then to my Linux server and then out to the internet.

ANy help will be much appreciated
0
yeahmen
Asked:
yeahmen
1 Solution
 
apessosCommented:
Can you post an excerpt of the ipchain rules you use to relay the email messages?  

In the meantime, I've recently run into relaying problems, so make sure that you are using the FORWARD table to send all messages going to the Exchange server port to thhe Exchange server.

Doing something like:

iptables -A FORWARD -i eth0 --dport XXXX -j ACCEPT

I'm still a novice with iptables, but i feel your pain and would like to help.
0
 
Techno__MageCommented:
as noted in apessos' entry, you will first need rules to "allow" the traffic to pass.  

you will also need something like the following to do the nat & port forwarding portions...  
(substitute the IP of your exchange server where i have noted 192.0.2.10)
(more accurate suggestions could be made when we see your present ipchains rules)

# This rule will redirect inbound smtp traffic to your
#  exchange server (conntrack will handle the replies)
iptables -t nat -A PREROUTING -i eth0 --protocol tcp --destination-port 25 -j DNAT --to-destination 192.0.2.10:25

# This rule would masq/nat your outbound smtp traffic
#  from your exchange box so it doesn't appear to come
#  from an "internal" IP address on your LAN
# (There is probably a broader rule that covers this too)
iptables -t nat -A POSTROUTING -o eth0 --protocol tcp -m tcp -dport 25 -j MASQUERADE
0
 
yeahmenAuthor Commented:
These are the rules that I have currently in place.  However, I would like to disallow EVERYTHING ELSE except SMTP.  Is the following rule sufficient or would I need more rules?
Also I find that after I reboot the machine the rules won't work. I would need to log in and send a mail as root and then it would start working again.

# Generated by iptables-save v1.2.3 on Fri Feb 28 12:56:01 2003
*filter
:INPUT ACCEPT [1936:175528]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3553:1516019]
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp ! --dport 25 --tcp-flags SYN,RST,ACK SYN
-j DROP
COMMIT
# Completed on Fri Feb 28 12:56:01 2003


0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
djluffCommented:
Unless you are doing it manually out of interest, I'd recomend looking at something like fwbuilder.sourceforge.net to configure iptables.

iptables can do things in a much more secure way than ipchains, but it gets pretty messy doing it by hand. fwbuilder lets you configure the access rules and NAT through a nice gui similar to a checkpoint firewall.
0
 
Techno__MageCommented:
Need clarification of something.  Your question indicated that your Linux box has one network card...  how are the network connections to it set up ?  (network card connects to intranet and usb modem for internet or something?)

Also, the rules you listed do not do any port forwarding.  

Meanwhile, this might be a better approach to your "filter" rules (using default policy of "DROP").  Note your port 53 rules are only needed if you are running a DNS server there, too.  

:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --syn --dport 25 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --syn --dport 53 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
0
 
CleanupPingCommented:
yeahmen:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
paullamhkgCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is to:

Be PAQ'd/Points No Refunded

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Paul
EE Cleanup Volunteer
0
 
LunchyCommented:
PAQed per request/recommendation - No Refund

Lunchy
Friendly Neighbourhood Community Support Moderator
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now