Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Accesing eMail server behind a firewall

Posted on 2010-08-31
10
Medium Priority
?
1,038 Views
Last Modified: 2013-11-16
Hello,

I'm new with iptables. How do I put the mail server (SMTP/POP3) behind the firewall with iptables?..

Actual scenario (see attachment for details):

      Mail clients (LAN&INTERNET) have direct access to the public ip (Public IP2) of the mail server.    SMTP/POP server = Public IP2

Desired scenario (see attachment for details):

      In this new scenario,  mail clients (LAN&INTERNET) MUST have direct access to the old public ip (Public IP2), but  mailserver MUST be behind the firewall. Clients email setup MUST be Public IP2

Actual IPTables rules:
---------------------------------------------------------------------
Chain INPUT (policy DROP)
target     prot opt source               destination        
loopback   0    --  anywhere             anywhere            
ACCEPT     0    --  192.1.1.0/24         192.1.1.0/24        
RESERVED   0    --  10.0.0.0/8           anywhere            
RESERVED   0    --  172.16.0.0/12        anywhere            
RESERVED   0    --  192.168.0.0/16       anywhere            
RESERVED   0    --  ALL-SYSTEMS.MCAST.NET  anywhere            
RESERVED   0    --  ALL-ROUTERS.MCAST.NET  anywhere            
RESERVED   0    --  DVMRP.MCAST.NET      anywhere            
RESERVED   0    --  OSPF-ALL.MCAST.NET   anywhere            
RESERVED   0    --  OSPF-DSIG.MCAST.NET  anywhere            
RESERVED   0    --  RIP2-ROUTERS.MCAST.NET  anywhere            
RESERVED   0    --  PIM-ROUTERS.MCAST.NET  anywhere            
RESERVED   0    --  ALL-CBT-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  ALL-SYSTEMS.MCAST.NET  anywhere            
MULTICAST  0    --  ALL-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  DVMRP.MCAST.NET      anywhere            
MULTICAST  0    --  OSPF-ALL.MCAST.NET   anywhere            
MULTICAST  0    --  OSPF-DSIG.MCAST.NET  anywhere            
MULTICAST  0    --  RIP2-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  PIM-ROUTERS.MCAST.NET  anywhere            
MULTICAST  0    --  ALL-CBT-ROUTERS.MCAST.NET  anywhere            
ACCEPT     icmp --  anywhere             anywhere            limit: avg 1/sec burst 5
DNS        udp  --  ns1.mydns.com            anywhere            udp spt:domain
DNS        udp  --  ns2.mydns.com            anywhere            udp spt:domain
DNS        udp  --  google-public-dns-a.google.com  anywhere            udp spt:domain
DNS        udp  --  google-public-dns-b.google.com  anywhere            udp spt:domain
PUBLIC     tcp  --  anywhere             firewall.myfirewall.com tcp dpt:smtp
PUBLIC     tcp  --  anywhere             firewall.myfirewall.com tcp dpt:ssh
PUBLIC     udp  --  anywhere             firewall.myfirewall.com udp dpt:ssh
CLIENT     tcp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            tcp dpt:ssh
CLIENT     udp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            udp dpt:ssh
CLIENT     tcp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            tcp dpt:webmin
CLIENT     udp  --  xx.Red-217-xxx-xx.staticIP.rima-tde.net  anywhere            udp dpt:10000
STATEFUL   0    --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ACCEPT     tcp  --  192.1.1.0/24         firewall.myfirewall.com tcp dpt:www
ACCEPT     udp  --  192.1.1.0/24         firewall.myfirewall.com udp dpt:www
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ns
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-dgm
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ssn
STATEFUL   0    --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
loopback   0    --  anywhere             anywhere            
DROP       icmp --  anywhere             anywhere            state INVALID
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ns
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-dgm
BLOCK_OUT  tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
BLOCK_OUT  udp  --  anywhere             anywhere            udp dpt:netbios-ssn

Chain ACCEPTnLOG (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (accept) '
ACCEPT     0    --  anywhere             anywhere            

Chain BLACKLIST (0 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain BLOCK_OUT (12 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain CLIENT (4 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain CLOSED (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (closed port drop) '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain DHCP (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (DHCP accept) '
ACCEPT     0    --  anywhere             anywhere            

Chain DMZ (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (DMZ drop) '
DROP       0    --  anywhere             anywhere            

Chain DNS (4 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain DROPICMP (0 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain DROPnLOG (1 references)
target     prot opt source               destination        
DROP       udp  --  anywhere             anywhere            udp dpts:netbios-ns:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:www dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
DROP       udp  --  anywhere             255.255.255.255     udp spt:bootps dpt:bootpc
DROP       udp  --  anywhere             255.255.255.255     udp spt:bootpc dpt:bootps
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain HIGHPORT (0 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain MON_OUT (0 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain MULTICAST (8 references)
target     prot opt source               destination        
DROP       0    --  anywhere             anywhere            

Chain OPENPORT (0 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain PUBLIC (3 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            

Chain RESERVED (11 references)
target     prot opt source               destination        
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain SCAN (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (possible port scan) '
DROP       0    --  anywhere             anywhere            

Chain SERVICEDROP (0 references)
target     prot opt source               destination        
LOG        0    --  anywhere             anywhere            LOG level info prefix `gShield (service drop) '
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
DROP       0    --  anywhere             anywhere            

Chain STATEFUL (2 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW
DROPnLOG   0    --  anywhere             anywhere            

Chain loopback (2 references)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            
----------------------------------------------------------------------------------------

What rules are needed to get what I want?

Thanks in advance
mailserver.gif
0
Comment
Question by:VMWARE
10 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 2000 total points
ID: 33566260
Basically you need two rules for this thing:
iptables -t nat -I PREROUTING -d <public_IP2> -j DNAT --to-destination 192.1.1.6
iptables -I FORWARD -d 192.1.1.6 -j ACCEPT

But actually you probably just want to allow ports 25 and 110, so instead of second rule:
iptables -I FORWARD -d 192.1.1.6 -m tcp -p tcp --dport 25 -j ACCEPT
iptables -I FORWARD -d 192.1.1.6 -m tcp -p tcp --dport 110 -j ACCEPT
0
 
LVL 16

Assisted Solution

by:Blaz
Blaz earned 2000 total points
ID: 33566290
Also you would like the mailserver to always get public_IP2, so:
iptables -t nat -I POSTROUTING -s 192.1.1.6 -j SNAT --to-source <public_IP2>

And by the way - network 192.1.1.0/24 is not a valid private network!
0
 
LVL 2

Expert Comment

by:anoym
ID: 33566351
pls try something like, for example for SMTP:

iptables -A INPUT -p tcp -i eth1 --dport 25 -j ACCEPT

or

iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 

Expert Comment

by:Zed20
ID: 33566606
Hello!
I suggest that you should try to make a rule in the FORWARD chain, that allows clients in through the firewall to the mail server. If I see well, the firewall's public IP, that is visible from the internet is 192.1.1.10 (eth0), and the private IP is 192.1.1.0/24 (eth1). In this case, I don't understand, how can the public IP be in the same subnet range as the private subnet. The firewall doesn't have router functionality? However, the iptables rule, that forwards the traffic through the firewall, should look like this:
"iptables -A FORWARD -m mac --mac-source {Client's MAC address} -p tcp --dport smtp -j ACCEPT"
of course without quotes, and substitute the {Client's MAC address} part (the braces are here to group the text, in the real rule they aren't there!) with the MAC address of the client's computer, if you want to make MAC filtering. One rule can be linked to only one client (MAC address). If you don't want MAC filtering, then ignore the -m mac --mac-source {Client's MAC address} part. This rule allows th traffic on the tcp smtp port. If you want to allow pop3 port too, then create an other rule, but there substitute smtp with the according port name or number. Every port you want to allow must have a rule, except if you want to allow a range of ports. This means that, for example, you want to allow traffic on the 50 to 70 ports, then you can add a rule, where you should substitute smtp with 50:70.
If you want to log the rule, then you should create a rule again, but this case substitute ACCEPT with LOG. This rule must be before the ACCEPT rule. The LOG rule must be exactly the same, as the ACCEPT rule. There is an exception, if you make MAC or IP filtering. As I wrote about filtering earlier, every rule must have a LOG rule before them. This could be a lot to type, so it is not recommended make filtering.
Good luck!
Bye!
0
 

Author Comment

by:VMWARE
ID: 33567802
Hello zed20,

A few clarifications about the firewall:

           public IPs visible from internet= 212.xxx.xxx.xx7 (eth1) & 212.xxx.xxx.xx8 (eth1:1). Will have two public IPs (one real associated to eth1, and another one virtual, associated to eth1:1)

           private IP 192.1.1.10 (eth0)

0
 

Author Comment

by:VMWARE
ID: 33636811
Hello Blaz,

Last question,

Is it possible to inject these rules regardless of the rules that are already running?. Do not care about the order?

Thanks

0
 
LVL 16

Expert Comment

by:Blaz
ID: 33637019
The rules use the -I switch == Insert, which means that these rules are moved to first place in relevant chain. Because of this other residing rules have no effect on execution (unles they are executed after these commands and with -I switch as well).
0
 

Author Comment

by:VMWARE
ID: 33637939
I do not know if I understand.

The new rules will interfere with those already in use?.

What is the difference between adding the rules with the switch A or I?

0
 
LVL 16

Expert Comment

by:Blaz
ID: 33643916
iptables uses several chains of rules (INPUT, FORWARD, PREROUTING, ...). They are called a chain because rules are processed one after another until a rule is found that matches the packet.

I switch (I = insert) adds the rule to the first place (the rule will be processed first). A switch (A = append) adds the rule to the last place in the chain. Last place can be problematic because frequently the (previous) last rule is "-j DROP" so the new rule will never happen.

> The new rules will interfere with those already in use?.

No, not in the sense you are asking. Every packet will get processed by the new rules first which affect only the new mail traffic. All other (current) traffic is just handed over to the existing rules.
0
 

Author Closing Comment

by:VMWARE
ID: 33761588
Thanks Blaz
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question