Solved

Accesing eMail server behind a firewall

Posted on 2010-08-31
10
1,022 Views
Last Modified: 2013-11-16
Hello,

I'm new with iptables. How do I put the mail server (SMTP/POP3) behind the firewall with iptables?..

Actual scenario (see attachment for details):

      Mail clients (LAN&INTERNET) have direct access to the public ip (Public IP2) of the mail server.    SMTP/POP server = Public IP2

Desired scenario (see attachment for details):

      In this new scenario,  mail clients (LAN&INTERNET) MUST have direct access to the old public ip (Public IP2), but  mailserver MUST be behind the firewall. Clients email setup MUST be Public IP2

Actual IPTables rules:
---------------------------------------------------------------------
Chain INPUT (policy DROP)
target     prot opt source               destination        
loopback   0    --  anywhere             anywhere            
ACCEPT     0    --  192.1.1.0/24         192.1.1.0/24        
RESERVED   0    --  10.0.0.0/8           anywhere            
RESERVED   0    --  172.16.0.0/12        anywhere            
RESERVED   0    --  192.168.0.0/16       anywhere            
RESERVED   0    --  ALL-SYSTEMS.MCAST.NET  anywhere            
RESERVED   0    --  ALL-ROUTERS.MCAST.NET  anywhere            
RESERVED   0    --  DVMRP.MCAST.NET      anywhere            
RESERVED   0    --  OSPF-ALL.MCAST.NET   anywhere            
RESERVED   0    --  OSPF-DSIG.MCAST.NET  anywhere            
RESERVED   0    --  RIP2-ROUTERS.MCAST.NET  anywhere            
RESERVED   0    --  PIM-ROUTERS.MCAST.NET  anywhere            
RESERVED   0    --  ALL-CBT-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  ALL-SYSTEMS.MCAST.NET  anywhere            
MULTICAST  0    --  ALL-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  DVMRP.MCAST.NET      anywhere            
MULTICAST  0    --  OSPF-ALL.MCAST.NET   anywhere            
MULTICAST  0    --  OSPF-DSIG.MCAST.NET  anywhere            
MULTICAST  0    --  RIP2-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  PIM-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  ALL-CBT-ROUTERS.MCAST.NET  anywhere            
ACCEPT     icmp --  anywhere             anywhere            limit: avg 1/sec burst 5
DNS        udp  --  ns1.mydns.com            anywhere            udp spt:domain
DNS        udp  --  ns2.mydns.com            anywhere            udp spt:domain
DNS        udp  --  google-public-dns-a.google.com  anywhere            udp spt:domain
DNS        udp  --  google-public-dns-b.google.com  anywhere            udp spt:domain
PUBLIC     tcp  --  anywhere             firewall.myfirewall.com tcp dpt:smtp
PUBLIC     tcp  --  anywhere             firewall.myfirewall.com tcp dpt:ssh
PUBLIC     udp  --  anywhere             firewall.myfirewall.com udp dpt:ssh
CLIENT     tcp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            tcp dpt:ssh
CLIENT     udp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            udp dpt:ssh
CLIENT     tcp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            tcp dpt:webmin
CLIENT     udp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            udp dpt:10000
STATEFUL   0    --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ACCEPT     tcp  --  192.1.1.0/24         firewall.myfirewall.com tcp dpt:www
ACCEPT     udp  --  192.1.1.0/24         firewall.myfirewall.com udp dpt:www
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ns
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-dgm
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ssn
STATEFUL   0    --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
loopback   0    --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere            state INVALID
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ns
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-dgm
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ssn

Chain ACCEPTnLOG (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (accept) '
ACCEPT     0    --  anywhere             anywhere            

Chain BLACKLIST (0 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain BLOCK_OUT (12 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain CLIENT (4 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain CLOSED (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (closed port drop) '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain DHCP (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (DHCP accept) '
ACCEPT     0    --  anywhere             anywhere            

Chain DMZ (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (DMZ drop) '
DROP       0    --  anywhere             anywhere            

Chain DNS (4 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain DROPICMP (0 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain DROPnLOG (1 references)
target     prot opt source               destination        
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             255.255.255.255     udp spt:bootps dpt:bootpc
DROP       udp  --  anywhere             255.255.255.255     udp spt:bootpc dpt:bootps
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain HIGHPORT (0 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain MON_OUT (0 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain MULTICAST (8 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain OPENPORT (0 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain PUBLIC (3 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain RESERVED (11 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain SCAN (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (possible port scan) '
DROP       0    --  anywhere             anywhere            

Chain SERVICEDROP (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (service drop) '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain STATEFUL (2 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW
DROPnLOG   0    --  anywhere             anywhere            

Chain loopback (2 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            
----------------------------------------------------------------------------------------

What rules are needed to get what I want?

Thanks in advance
mailserver.gif
0
Comment
Question by:VMWARE
10 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 500 total points
Comment Utility
Basically you need two rules for this thing:
iptables -t nat -I PREROUTING -d <public_IP2> -j DNAT --to-destination 192.1.1.6
iptables -I FORWARD -d 192.1.1.6 -j ACCEPT

But actually you probably just want to allow ports 25 and 110, so instead of second rule:
iptables -I FORWARD -d 192.1.1.6 -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.1.1.6 -m tcp -p tcp --dport 110 -j ACCEPT
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 500 total points
Comment Utility
Also you would like the mailserver to always get public_IP2, so:
iptables -t nat -I POSTROUTING -s 192.1.1.6 -j SNAT --to-source <public_IP2>

And by the way - network 192.1.1.0/24 is not a valid private network!
0
 
LVL 2

Expert Comment

by:anoym
Comment Utility
pls try something like, for example for SMTP:

iptables -A INPUT -p tcp -i eth1 --dport 25 -j ACCEPT

or

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
0
 

Expert Comment

by:Zed20
Comment Utility
Hello!
I suggest that you should try to make a rule in the FORWARD chain, that allows clients in through the firewall to the mail server. If I see well, the firewall's public IP, that is visible from the internet is 192.1.1.10 (eth0), and the private IP is 192.1.1.0/24 (eth1). In this case, I don't understand, how can the public IP be in the same subnet range as the private subnet. The firewall doesn't have router functionality? However, the iptables rule, that forwards the traffic through the firewall, should look like this:
"iptables -A FORWARD -m mac --mac-source {Client's MAC address} -p tcp --dport smtp -j ACCEPT"
of course without quotes, and substitute the {Client's MAC address} part (the braces are here to group the text, in the real rule they aren't there!) with the MAC address of the client's computer, if you want to make MAC filtering. One rule can be linked to only one client (MAC address). If you don't want MAC filtering, then ignore the -m mac --mac-source {Client's MAC address} part. This rule allows th traffic on the tcp smtp port. If you want to allow pop3 port too, then create an other rule, but there substitute smtp with the according port name or number. Every port you want to allow must have a rule, except if you want to allow a range of ports. This means that, for example, you want to allow traffic on the 50 to 70 ports, then you can add a rule, where you should substitute smtp with 50:70.
If you want to log the rule, then you should create a rule again, but this case substitute ACCEPT with LOG. This rule must be before the ACCEPT rule. The LOG rule must be exactly the same, as the ACCEPT rule. There is an exception, if you make MAC or IP filtering. As I wrote about filtering earlier, every rule must have a LOG rule before them. This could be a lot to type, so it is not recommended make filtering.
Good luck!
Bye!
0
 

Author Comment

by:VMWARE
Comment Utility
Hello zed20,

A few clarifications about the firewall:

           public IPs visible from internet= 212.xxx.xxx.xx7 (eth1) & 212.xxx.xxx.xx8 (eth1:1). Will have two public IPs (one real associated to eth1, and another one virtual, associated to eth1:1)

           private IP 192.1.1.10 (eth0)

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:VMWARE
Comment Utility
Hello Blaz,

Last question,

Is it possible to inject these rules regardless of the rules that are already running?. Do not care about the order?

Thanks

0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
The rules use the -I switch == Insert, which means that these rules are moved to first place in relevant chain. Because of this other residing rules have no effect on execution (unles they are executed after these commands and with -I switch as well).
0
 

Author Comment

by:VMWARE
Comment Utility
I do not know if I understand.

The new rules will interfere with those already in use?.

What is the difference between adding the rules with the switch A or I?

0
 
LVL 16

Expert Comment

by:Blaz
Comment Utility
iptables uses several chains of rules (INPUT, FORWARD, PREROUTING, ...). They are called a chain because rules are processed one after another until a rule is found that matches the packet.

I switch (I = insert) adds the rule to the first place (the rule will be processed first). A switch (A = append) adds the rule to the last place in the chain. Last place can be problematic because frequently the (previous) last rule is "-j DROP" so the new rule will never happen.

> The new rules will interfere with those already in use?.

No, not in the sense you are asking. Every packet will get processed by the new rules first which affect only the new mail traffic. All other (current) traffic is just handed over to the existing rules.
0
 

Author Closing Comment

by:VMWARE
Comment Utility
Thanks Blaz
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now