IPTABLES - Forwarding

Hope I am in the right area?  I am attempting to route or relay or forward packets from my email server to a email filtering server.  Currently, I have a Red Hat ES with two NIC's acting as my email server.  The first NIC, "LAN_INTERFACE" is connected to my my LAN.  The second NIC, "EXT_INTERFACE" is connected to the Internet.  At this point, all is well, email comes in via the "EXT_INTERFACE" and gets forwarded to the LAN side via the "LAN_INTERFACE".  I also have iptables running on this system.  Listed below is a portion of my firewall script which was copied and slightly modified to fit our needs.

LAN_INTERFACE="eth0"
EXT_INTERFACE="eth1"
LOOPBACK_INTERFACE="lo"

EXT_IPADDR="xx.xx.46.20"
EXT_ADDRESSES="xx.xx.46.0/24"
EXT_NETWORK="xx.xx.46.0"
EXT_BROADCAST="xx.xx.46.255"
GATEWAY_IPADDR="xx.xx.46.1"

ANYWHERE="any/0"
LAN="yy.yy.0.0/8"

LAN_IPADDR="yy.yy.98.5"
LAN_ADDRESSES="yy.yy.98.0/24"

#######################################################################
#  Internal:  Incoming SMTP (TCP Port 25)                             #
#######################################################################
iptables -A INPUT -i $LAN_INTERFACE -p tcp \
         -s $LAN --sport $UNPRIVPORTS \
         -d $LAN_IPADDR --dport 25 -j ACCEPT

iptables -A OUTPUT -o $LAN_INTERFACE -p tcp \
         -s $LAN_IPADDR --sport 25 \
         -d $LAN --dport $UNPRIVPORTS -j ACCEPT

 
#######################################################################
#  External:  Incoming SMTP (TCP Port 25)                             #
#######################################################################
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
         -s $ANYWHERE --sport $UNPRIVPORTS \
         -d $EXT_IPADDR --dport 25 -j ACCEPT
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
         -d $ANYWHERE --dport $UNPRIVPORTS \
         -s $EXT_IPADDR --sport 25 -j ACCEPT
 

#######################################################################
#  External:  Outgoing SMTP (TCP Port 25)                             #
#######################################################################
iptables -A OUTPUT -o $EXT_INTERFACE -p tcp \
         -s $EXT_IPADDR --sport $UNPRIVPORTS \
         -d $ANYWHERE --dport 25 \
         -m state --state NEW -j ACCEPT
iptables -A INPUT -i $EXT_INTERFACE -p tcp \
         -d $EXT_IPADDR --dport $UNPRIVPORTS \
         -s $ANYWHERE --sport 25 \
         -m state --state ESTABLISHED -j ACCEPT


iptables -A FORWARD -i $EXT_INTERFACE -o $LAN_INTERFACE -p tcp \
         -s $LAN_ADDRESSES --sport $UNPRIVPORTS \
         -d $MAIL_SERVER --dport 25 \
         -m state --state NEW -j ACCEPT


My email server is running Sendmail.  Problem now is that the email filtering application is running on WIndows 2000 Server.  I was informed by the vendor, that I need to relay or forward all SMTP packets prior to hitting my POP server.  This filtering server only has one NIC with a private IP address (yy.yy.98.54) located in the same segment as the "LAN_INTERFACE".  It was suggested that I use iptables with DNAT.  Unfortunately, the last time I looked at my iptables script was a year ago.  Does anybody have any suggestion as to how I can pass SMTP packet through another server then back?  Any sample codes is greatly appreaciated.

Thank you!  In advance for your time on this matter.
CVCB-NetAdminAsked:
Who is Participating?
 
ahoffmannConnect With a Mentor Commented:
hmm, think you should get more used to iptables chains :-)
packets go through PREROUTING then INPUT if the are for the host itself
they go through PREROUTING, then FORWARD, then OUTPUT and then POSTROUTING if they are forwarded

rules are checked according definition 'til the first rule matches (not explaining some exceptions here)
so if you use -A when building the rules, they are appended at the end of the corresponding chain
if you want a specific order you have to enshure it by uses your prefered sequence of iptable -A calls, or you need to insert them at a specific position using -I instead of -A

> ..does the packet get re-evaluated again from the top?
now you see, that this is the wrong question

> what can I use or do to trace as t what is going on when a packet arrives
tcpdump -l -n -i EXT_INTERFACE
tcpdump -l -n -i LAN_INTERFACE
0
 
jlevieCommented:
Add:

iptables -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 25 -j DNAT --to yy.yy.n.n

where yy.yy.n.n is the IP of the machine runing the mail filter.
0
 
CVCB-NetAdminAuthor Commented:
Excuse my ignorance, but iptables is somewhat a difficult subject for me.  Does this command go before the first section of the SMTP filtering?  

Again, thank you!  For your time on this matter.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ahoffmannCommented:
it should replace your last posted iptables rule (that with the FORWARD chain)
0
 
CVCB-NetAdminAuthor Commented:
Removed the line below:

iptables -A FORWARD -i $EXT_INTERFACE -o $LAN_INTERFACE -p tcp \
         -s $LAN_ADDRESSES --sport $UNPRIVPORTS \
         -d $MAIL_SERVER --dport 25 \
         -m state --state NEW -j ACCEPT

Replaced it with:

iptables -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 25 -j DNAT --to yy.yy.n.n

Restarted my server and packets didn't get forwarded.  I do have the additional lines below that I thought might cause the problem for the packet not being forwarded.  These lines are located at the very top prior to any SMTP manipulation.  But this should not have any effect, right?  Any other suggestions.

Again, thank you!  For your time on this matter.

###########################################
#  Refuse spoofed packets pretending to be from you                   #
###########################################
iptables -A INPUT -s $EXT_IPADDR -j DROP
iptables -A INPUT -s $LAN_IPADDR -j DROP

iptables -A FORWARD -s $EXT_IPADDR -j DROP
iptables -A FORWARD -s $LAN_IPADDR -j DROP

iptables -A INPUT -i $EXT_INTERFACE -s $LAN_ADDRESSES -j DROP
iptables -A FORWARD -i $EXT_INTERFACE -s $LAN_ADDRESSES -j DROP

iptables -A FORWARD -i $LAN_INTERFACE -s ! $LAN_ADDRESSES -j DROP

iptables -A OUTPUT -o $EXT_INTERFACE -s ! $EXT_IPADDR -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IPADDR -j DROP

0
 
ahoffmannCommented:
> iptables -A FORWARD -i $LAN_INTERFACE -s ! $LAN_ADDRESSES -j DROP
this line drops your packets, they never reach the nat table
0
 
CVCB-NetAdminAuthor Commented:
Okay.  So, when a packet reaches this line: "iptables -t nat -A PREROUTING -i $EXT_INTERFACE -p tcp --dport 25 -j DNAT --to yy.yy.n.n" and this line is located in the middle of my firewall script, does the packet get re-evaluated again from the top?  If not, what can I use or do to trace as t what is going on when a packet arrives at my "EXT_INTERFACE"?

Again, thank you!
0
All Courses

From novice to tech pro — start learning today.