iptables port redirection and squid clients to access mail server.

Dear Sir/Madam:

Subject : Accept  port 143 and 25 on eth0 and redirect it to remote mailserver ip port 25 and 143 (Should work for the squid clients)

I have squid setup with two nic :

eth0: 192.168.1.242
eth0:gateway none
eth1:2.2.2.2(external ip)
eth1:gateway 2.2.2.3

squid working fine but i want to allow the clients using squid to connect to the imap server (remote mail server) following is my firewall :

ext_nic=eth1
int_nic=eth0
ext_ip=2.2.2.2
int_ip=192.168.1.242
emip=4.4.4.4 #(remote mail server)

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F

iptables -A INPUT -i lo -j ACCEPT  #loop back traffic
iptables -A INPUT -i $int_nic -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i $int_nic -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i $int_nic -p tcp --dport 3128 -j ACEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -t nat -p tcp -d $int_ip --dport  25 -j DNAT --to $emip:25
iptables -t nat -A PREROUTING -t nat -p tcp -d $int_ip --dport  143 -j DNAT --to $emip:143
iptables -t nat -A POSTROUTING -o $ext_nic -j MASQUERADE

-----------------------log of linux box-----------
please also note the following output of the command : iptables -L -vn

Chain INPUT (policy DROP 295 packets, 46916 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    3   180 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143
   69 13344 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3128
  172 72539 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       192.168.1.0/24       0.0.0.0/0          
    2   184 DROP       icmp --  *      *       0.0.0.0/0             2.2.2.2         icmp type 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          
    0     0 ACCEPT     udp  --  eth1   *      5.5.5.5         0.0.0.0/0           udp spt:53 state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth1   *       192.168.1.249        0.0.0.0/0           udp spt:53 state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  eth0   *       61.1.96.69           0.0.0.0/0           udp spt:53 state RELATED,ESTABLISHED
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID LOG flags 0 level 4
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        

Chain OUTPUT (policy ACCEPT 359 packets, 94740 bytes)
 pkts bytes target     prot opt in     out     source               destination        

---------------------------log---------------------------------------------
simialarly please see the following out put of the command iptables -L -vn -t nat

Chain PREROUTING (policy ACCEPT 317 packets, 50632 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.242       tcp dpt:25 to:4.4.4.4:25
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.242       tcp dpt:143 to:4.4.4.4:143

Chain POSTROUTING (policy ACCEPT 1 packets, 38 bytes)
 pkts bytes target     prot opt in     out     source               destination        
  103  7333 MASQUERADE  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0          

Chain OUTPUT (policy ACCEPT 104 packets, 7371 bytes)
 pkts bytes target     prot opt in     out     source               destination        


 ----------- squid config--------------
added two ports 25 and 143 in the Safe ports list

with all the above config still the squid client not able to connect to the remote mail server when tried ends up with the following error message:

Your 'Inbox' folder was not polled for its unread count. The connection to the server has failed. Account: 'xx', Server: '4.4.4.4, Protocol: IMAP, Server Response: '', Port: 143, Secure(SSL): No, Error Number: 0x800CCC0E


Please suggest me where iam i going wrong

Regards,
Indar






INDARKUMARAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gabriel OrozcoSolution ArchitectCommented:
Maybe this is because squid it's an http proxy and cannot proxy SMTP/IMAP/POP3 protocols.

also maybe because you are posting rules of IPTABLES and not for SQUID

if you tried to mean "IPTABLES" instead of "SQUID" then it's more readable, and then I supose you are trying to say this:

" I have a linux gateway to the internet. I want to setup an internal machine so it thinks the email server is my linux machine, but instead I want to redirect traffic to an external email/imap server"

If this is the case, then what I can see on your microsoft exchange client, is you are not configuring it to have your linux box as it's email server, but instead the remote client.

configure your exchange client to have in the server ip field your internal ip address: 192.168.1.242

redirect should work as I don't see anything wrong there
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
INDARKUMARAuthor Commented:
Thanks the config is working fine.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.