VMWARE
asked on
Accesing eMail server behind a firewall
Hello,
I'm new with iptables. How do I put the mail server (SMTP/POP3) behind the firewall with iptables?..
Actual scenario (see attachment for details):
Mail clients (LAN&INTERNET) have direct access to the public ip (Public IP2) of the mail server. SMTP/POP server = Public IP2
Desired scenario (see attachment for details):
In this new scenario, mail clients (LAN&INTERNET) MUST have direct access to the old public ip (Public IP2), but mailserver MUST be behind the firewall. Clients email setup MUST be Public IP2
Actual IPTables rules:
--------------------------
Chain INPUT (policy DROP)
target prot opt source destination
loopback 0 -- anywhere anywhere
ACCEPT 0 -- 192.1.1.0/24 192.1.1.0/24
RESERVED 0 -- 10.0.0.0/8 anywhere
RESERVED 0 -- 172.16.0.0/12 anywhere
RESERVED 0 -- 192.168.0.0/16 anywhere
RESERVED 0 -- ALL-SYSTEMS.MCAST.NET anywhere
RESERVED 0 -- ALL-ROUTERS.MCAST.NET anywhere
RESERVED 0 -- DVMRP.MCAST.NET anywhere
RESERVED 0 -- OSPF-ALL.MCAST.NET anywhere
RESERVED 0 -- OSPF-DSIG.MCAST.NET anywhere
RESERVED 0 -- RIP2-ROUTERS.MCAST.NET anywhere
RESERVED 0 -- PIM-ROUTERS.MCAST.NET anywhere
RESERVED 0 -- ALL-CBT-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- ALL-SYSTEMS.MCAST.NET anywhere
MULTICAST 0 -- ALL-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- DVMRP.MCAST.NET anywhere
MULTICAST 0 -- OSPF-ALL.MCAST.NET anywhere
MULTICAST 0 -- OSPF-DSIG.MCAST.NET anywhere
MULTICAST 0 -- RIP2-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- PIM-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- ALL-CBT-ROUTERS.MCAST.NET anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5
DNS udp -- ns1.mydns.com anywhere udp spt:domain
DNS udp -- ns2.mydns.com anywhere udp spt:domain
DNS udp -- google-public-dns-a.google
DNS udp -- google-public-dns-b.google
PUBLIC tcp -- anywhere firewall.myfirewall.com tcp dpt:smtp
PUBLIC tcp -- anywhere firewall.myfirewall.com tcp dpt:ssh
PUBLIC udp -- anywhere firewall.myfirewall.com udp dpt:ssh
CLIENT tcp -- xx.Red-217-xxx-xx.staticIP
CLIENT udp -- xx.Red-217-xxx-xx.staticIP
CLIENT tcp -- xx.Red-217-xxx-xx.staticIP
CLIENT udp -- xx.Red-217-xxx-xx.staticIP
STATEFUL 0 -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.1.1.0/24 firewall.myfirewall.com tcp dpt:www
ACCEPT udp -- 192.1.1.0/24 firewall.myfirewall.com udp dpt:www
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
STATEFUL 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
loopback 0 -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
Chain ACCEPTnLOG (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (accept) '
ACCEPT 0 -- anywhere anywhere
Chain BLACKLIST (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain BLOCK_OUT (12 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain CLIENT (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain CLOSED (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (closed port drop) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain DHCP (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (DHCP accept) '
ACCEPT 0 -- anywhere anywhere
Chain DMZ (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (DMZ drop) '
DROP 0 -- anywhere anywhere
Chain DNS (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain DROPICMP (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain DROPnLOG (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ss
ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere 255.255.255.255 udp spt:bootps dpt:bootpc
DROP udp -- anywhere 255.255.255.255 udp spt:bootpc dpt:bootps
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain HIGHPORT (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain MON_OUT (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain MULTICAST (8 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain OPENPORT (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain PUBLIC (3 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain RESERVED (11 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain SCAN (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (possible port scan) '
DROP 0 -- anywhere anywhere
Chain SERVICEDROP (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (service drop) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state NEW
DROPnLOG 0 -- anywhere anywhere
Chain loopback (2 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
--------------------------
What rules are needed to get what I want?
Thanks in advance
mailserver.gif
I'm new with iptables. How do I put the mail server (SMTP/POP3) behind the firewall with iptables?..
Actual scenario (see attachment for details):
Mail clients (LAN&INTERNET) have direct access to the public ip (Public IP2) of the mail server. SMTP/POP server = Public IP2
Desired scenario (see attachment for details):
In this new scenario, mail clients (LAN&INTERNET) MUST have direct access to the old public ip (Public IP2), but mailserver MUST be behind the firewall. Clients email setup MUST be Public IP2
Actual IPTables rules:
--------------------------
Chain INPUT (policy DROP)
target prot opt source destination
loopback 0 -- anywhere anywhere
ACCEPT 0 -- 192.1.1.0/24 192.1.1.0/24
RESERVED 0 -- 10.0.0.0/8 anywhere
RESERVED 0 -- 172.16.0.0/12 anywhere
RESERVED 0 -- 192.168.0.0/16 anywhere
RESERVED 0 -- ALL-SYSTEMS.MCAST.NET anywhere
RESERVED 0 -- ALL-ROUTERS.MCAST.NET anywhere
RESERVED 0 -- DVMRP.MCAST.NET anywhere
RESERVED 0 -- OSPF-ALL.MCAST.NET anywhere
RESERVED 0 -- OSPF-DSIG.MCAST.NET anywhere
RESERVED 0 -- RIP2-ROUTERS.MCAST.NET anywhere
RESERVED 0 -- PIM-ROUTERS.MCAST.NET anywhere
RESERVED 0 -- ALL-CBT-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- ALL-SYSTEMS.MCAST.NET anywhere
MULTICAST 0 -- ALL-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- DVMRP.MCAST.NET anywhere
MULTICAST 0 -- OSPF-ALL.MCAST.NET anywhere
MULTICAST 0 -- OSPF-DSIG.MCAST.NET anywhere
MULTICAST 0 -- RIP2-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- PIM-ROUTERS.MCAST.NET anywhere
MULTICAST 0 -- ALL-CBT-ROUTERS.MCAST.NET anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 1/sec burst 5
DNS udp -- ns1.mydns.com anywhere udp spt:domain
DNS udp -- ns2.mydns.com anywhere udp spt:domain
DNS udp -- google-public-dns-a.google
DNS udp -- google-public-dns-b.google
PUBLIC tcp -- anywhere firewall.myfirewall.com tcp dpt:smtp
PUBLIC tcp -- anywhere firewall.myfirewall.com tcp dpt:ssh
PUBLIC udp -- anywhere firewall.myfirewall.com udp dpt:ssh
CLIENT tcp -- xx.Red-217-xxx-xx.staticIP
CLIENT udp -- xx.Red-217-xxx-xx.staticIP
CLIENT tcp -- xx.Red-217-xxx-xx.staticIP
CLIENT udp -- xx.Red-217-xxx-xx.staticIP
STATEFUL 0 -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.1.1.0/24 firewall.myfirewall.com tcp dpt:www
ACCEPT udp -- 192.1.1.0/24 firewall.myfirewall.com udp dpt:www
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
STATEFUL 0 -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
loopback 0 -- anywhere anywhere
DROP icmp -- anywhere anywhere state INVALID
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ns
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ns
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-dgm
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-dgm
BLOCK_OUT tcp -- anywhere anywhere tcp dpt:netbios-ssn
BLOCK_OUT udp -- anywhere anywhere udp dpt:netbios-ssn
Chain ACCEPTnLOG (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (accept) '
ACCEPT 0 -- anywhere anywhere
Chain BLACKLIST (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain BLOCK_OUT (12 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain CLIENT (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain CLOSED (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (closed port drop) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain DHCP (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (DHCP accept) '
ACCEPT 0 -- anywhere anywhere
Chain DMZ (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (DMZ drop) '
DROP 0 -- anywhere anywhere
Chain DNS (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain DROPICMP (0 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain DROPnLOG (1 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ss
ACCEPT tcp -- anywhere anywhere tcp spt:www dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN
DROP udp -- anywhere 255.255.255.255 udp spt:bootps dpt:bootpc
DROP udp -- anywhere 255.255.255.255 udp spt:bootpc dpt:bootps
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain HIGHPORT (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain MON_OUT (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain MULTICAST (8 references)
target prot opt source destination
DROP 0 -- anywhere anywhere
Chain OPENPORT (0 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain PUBLIC (3 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
Chain RESERVED (11 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain SCAN (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (possible port scan) '
DROP 0 -- anywhere anywhere
Chain SERVICEDROP (0 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level info prefix `gShield (service drop) '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain STATEFUL (2 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere state NEW
DROPnLOG 0 -- anywhere anywhere
Chain loopback (2 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
--------------------------
What rules are needed to get what I want?
Thanks in advance
mailserver.gif
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello!
I suggest that you should try to make a rule in the FORWARD chain, that allows clients in through the firewall to the mail server. If I see well, the firewall's public IP, that is visible from the internet is 192.1.1.10 (eth0), and the private IP is 192.1.1.0/24 (eth1). In this case, I don't understand, how can the public IP be in the same subnet range as the private subnet. The firewall doesn't have router functionality? However, the iptables rule, that forwards the traffic through the firewall, should look like this:
"iptables -A FORWARD -m mac --mac-source {Client's MAC address} -p tcp --dport smtp -j ACCEPT"
of course without quotes, and substitute the {Client's MAC address} part (the braces are here to group the text, in the real rule they aren't there!) with the MAC address of the client's computer, if you want to make MAC filtering. One rule can be linked to only one client (MAC address). If you don't want MAC filtering, then ignore the -m mac --mac-source {Client's MAC address} part. This rule allows th traffic on the tcp smtp port. If you want to allow pop3 port too, then create an other rule, but there substitute smtp with the according port name or number. Every port you want to allow must have a rule, except if you want to allow a range of ports. This means that, for example, you want to allow traffic on the 50 to 70 ports, then you can add a rule, where you should substitute smtp with 50:70.
If you want to log the rule, then you should create a rule again, but this case substitute ACCEPT with LOG. This rule must be before the ACCEPT rule. The LOG rule must be exactly the same, as the ACCEPT rule. There is an exception, if you make MAC or IP filtering. As I wrote about filtering earlier, every rule must have a LOG rule before them. This could be a lot to type, so it is not recommended make filtering.
Good luck!
Bye!
I suggest that you should try to make a rule in the FORWARD chain, that allows clients in through the firewall to the mail server. If I see well, the firewall's public IP, that is visible from the internet is 192.1.1.10 (eth0), and the private IP is 192.1.1.0/24 (eth1). In this case, I don't understand, how can the public IP be in the same subnet range as the private subnet. The firewall doesn't have router functionality? However, the iptables rule, that forwards the traffic through the firewall, should look like this:
"iptables -A FORWARD -m mac --mac-source {Client's MAC address} -p tcp --dport smtp -j ACCEPT"
of course without quotes, and substitute the {Client's MAC address} part (the braces are here to group the text, in the real rule they aren't there!) with the MAC address of the client's computer, if you want to make MAC filtering. One rule can be linked to only one client (MAC address). If you don't want MAC filtering, then ignore the -m mac --mac-source {Client's MAC address} part. This rule allows th traffic on the tcp smtp port. If you want to allow pop3 port too, then create an other rule, but there substitute smtp with the according port name or number. Every port you want to allow must have a rule, except if you want to allow a range of ports. This means that, for example, you want to allow traffic on the 50 to 70 ports, then you can add a rule, where you should substitute smtp with 50:70.
If you want to log the rule, then you should create a rule again, but this case substitute ACCEPT with LOG. This rule must be before the ACCEPT rule. The LOG rule must be exactly the same, as the ACCEPT rule. There is an exception, if you make MAC or IP filtering. As I wrote about filtering earlier, every rule must have a LOG rule before them. This could be a lot to type, so it is not recommended make filtering.
Good luck!
Bye!
ASKER
Hello zed20,
A few clarifications about the firewall:
public IPs visible from internet= 212.xxx.xxx.xx7 (eth1) & 212.xxx.xxx.xx8 (eth1:1). Will have two public IPs (one real associated to eth1, and another one virtual, associated to eth1:1)
private IP 192.1.1.10 (eth0)
A few clarifications about the firewall:
public IPs visible from internet= 212.xxx.xxx.xx7 (eth1) & 212.xxx.xxx.xx8 (eth1:1). Will have two public IPs (one real associated to eth1, and another one virtual, associated to eth1:1)
private IP 192.1.1.10 (eth0)
ASKER
Hello Blaz,
Last question,
Is it possible to inject these rules regardless of the rules that are already running?. Do not care about the order?
Thanks
Last question,
Is it possible to inject these rules regardless of the rules that are already running?. Do not care about the order?
Thanks
The rules use the -I switch == Insert, which means that these rules are moved to first place in relevant chain. Because of this other residing rules have no effect on execution (unles they are executed after these commands and with -I switch as well).
ASKER
I do not know if I understand.
The new rules will interfere with those already in use?.
What is the difference between adding the rules with the switch A or I?
The new rules will interfere with those already in use?.
What is the difference between adding the rules with the switch A or I?
iptables uses several chains of rules (INPUT, FORWARD, PREROUTING, ...). They are called a chain because rules are processed one after another until a rule is found that matches the packet.
I switch (I = insert) adds the rule to the first place (the rule will be processed first). A switch (A = append) adds the rule to the last place in the chain. Last place can be problematic because frequently the (previous) last rule is "-j DROP" so the new rule will never happen.
> The new rules will interfere with those already in use?.
No, not in the sense you are asking. Every packet will get processed by the new rules first which affect only the new mail traffic. All other (current) traffic is just handed over to the existing rules.
I switch (I = insert) adds the rule to the first place (the rule will be processed first). A switch (A = append) adds the rule to the last place in the chain. Last place can be problematic because frequently the (previous) last rule is "-j DROP" so the new rule will never happen.
> The new rules will interfere with those already in use?.
No, not in the sense you are asking. Every packet will get processed by the new rules first which affect only the new mail traffic. All other (current) traffic is just handed over to the existing rules.
ASKER
Thanks Blaz
iptables -A INPUT -p tcp -i eth1 --dport 25 -j ACCEPT
or
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT