* Help with POP3/SMTP and MASQ
@ 2002-06-10 21:37 Linux Tek
2002-06-10 22:17 ` Michael Hudin
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Linux Tek @ 2002-06-10 21:37 UTC (permalink / raw)
To: netfilter
Hello...
I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
kernel iptables box. I have been able to setup incoming FTP connections
through my firewall, but no luck on the email. Here's my script...I've
pretty much added alot of extra stuff hoping that something would work and I
could figure it out from there, but so far nothings worked. I must be
missing something obvious!
Any help is appreciated, and thanks to everyone who takes the time to
respond!
#Beginning of script
#this was from someone's sample script..to load the modules.
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#some basic MASQ stuff so I can hit the internet!
cp /home/main/ip_forward /proc/sys/net/ipv4
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#rules for ftp in...working right now
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to
10.0.0.7:21
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 20 -j DNAT --to
10.0.0.7:20
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 20 -j ACCEPT
#rules for FTP out... NOT USED!!!!!!!!!
#iptables -t nat -A POSTROUTING -p tcp --sport 21 -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp --sport 20 -j ACCEPT
#iptables -A INPUT -p tcp --sport 21 -j ACCEPT
#iptables -A INPUT -p tcp --sport 20 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
#for POP3 and SMTP mail
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Help with POP3/SMTP and MASQ
2002-06-10 21:37 Help with POP3/SMTP and MASQ Linux Tek
@ 2002-06-10 22:17 ` Michael Hudin
2002-06-11 2:21 ` Matthew Hellman
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Michael Hudin @ 2002-06-10 22:17 UTC (permalink / raw)
To: netfilter
The problem looks like it is in your forwarding rules. You are telling it
to forward but you're not telling it from where to where, so you would need
something along the lines of -A FORWARD -i eth0 -o eth1 -p tcp -m
tcp --dport 110 -j ACCEPT if eth0 is your external and eth1 your internal.
You may need to invoke this slightly differently because I use the
iptables-save setup, not a script.
This should be a starting point. There may be other things that aren't
working as well.
-michael
----- Original Message -----
From: "Linux Tek" <linuxtek2002@hotmail.com>
To: <netfilter@lists.samba.org>
Sent: Monday, June 10, 2002 2:37 PM
Subject: Help with POP3/SMTP and MASQ
> Hello...
> I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
> kernel iptables box. I have been able to setup incoming FTP connections
> through my firewall, but no luck on the email. Here's my script...I've
> pretty much added alot of extra stuff hoping that something would work and
I
> could figure it out from there, but so far nothings worked. I must be
> missing something obvious!
>
> Any help is appreciated, and thanks to everyone who takes the time to
> respond!
>
>
> #Beginning of script
> #this was from someone's sample script..to load the modules.
>
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe iptable_filter
> /sbin/modprobe iptable_mangle
> /sbin/modprobe iptable_nat
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_limit
> /sbin/modprobe ipt_state
>
> #
> # 2.2 Non-Required modules
> #
>
> #/sbin/modprobe ipt_owner
> #/sbin/modprobe ipt_REJECT
> #/sbin/modprobe ipt_MASQUERADE
> #/sbin/modprobe ip_conntrack_ftp
> #/sbin/modprobe ip_conntrack_irc
>
>
>
> #some basic MASQ stuff so I can hit the internet!
> cp /home/main/ip_forward /proc/sys/net/ipv4
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> #rules for ftp in...working right now
>
> iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to
> 10.0.0.7:21
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 20 -j DNAT --to
> 10.0.0.7:20
>
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 21 -j
ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 20 -j
ACCEPT
>
> #rules for FTP out... NOT USED!!!!!!!!!
> #iptables -t nat -A POSTROUTING -p tcp --sport 21 -j ACCEPT
> #iptables -t nat -A POSTROUTING -p tcp --sport 20 -j ACCEPT
> #iptables -A INPUT -p tcp --sport 21 -j ACCEPT
> #iptables -A INPUT -p tcp --sport 20 -j ACCEPT
>
> #iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
> #iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
>
>
> #for POP3 and SMTP mail
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j ACCEPT
>
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
> iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Help with POP3/SMTP and MASQ
2002-06-10 21:37 Help with POP3/SMTP and MASQ Linux Tek
2002-06-10 22:17 ` Michael Hudin
@ 2002-06-11 2:21 ` Matthew Hellman
2002-06-11 13:54 ` Payal
[not found] ` <200206111923.23006@.>
3 siblings, 0 replies; 7+ messages in thread
From: Matthew Hellman @ 2002-06-11 2:21 UTC (permalink / raw)
To: Linux Tek, netfilter
To forward incoming connections to boxes on the internal side of the
firewall you must do two things:
1) Create a PREROUTING rule to change the destination address/port.
2) Create a statefull FORWARD rule which allows [NEW] traffic to be routed
to the internal machine
These 2 rules assume that a) your default policies are drop and 2) you have
a statefull rule which allows ESTABLISHED,RELATED traffic in your forward
chain.
It's important to understand that you don't need POSTROUTING rules to
accomplish this. This is a common mistake (one which I'm sure I made when I
first learnt this too).
Now on to the specifics....
> #rules for ftp in...working right now
>
> iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
You don't need the above 2 rules anymore. You have this covered below.
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to
> 10.0.0.7:21
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 20 -j DNAT --to
> 10.0.0.7:20
>
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 21 -j
ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 20 -j
ACCEPT
> #for POP3 and SMTP mail
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
You don't need these.
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j ACCEPT
You haven't specified a destination address for these rules. You need
something like you did with FTP:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j DNAT --to
10.0.0.7
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j DNAT --to
10.0.0.7
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
You should be more specific with your forward rules. Don't forget to
specify an interface and a destination address (just like you did for FTP).
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 110 -j ACCEPT
Ideally you would be using state matches for this stuff. Are you familiar
with this?
> iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
> iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
Don't need these rules.
Goodluck,
Matt
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: Help with POP3/SMTP and MASQ
2002-06-10 21:37 Help with POP3/SMTP and MASQ Linux Tek
2002-06-10 22:17 ` Michael Hudin
2002-06-11 2:21 ` Matthew Hellman
@ 2002-06-11 13:54 ` Payal
[not found] ` <200206111923.23006@.>
3 siblings, 0 replies; 7+ messages in thread
From: Payal @ 2002-06-11 13:54 UTC (permalink / raw)
To: netfilter
Hi,
I am very very new to iptables. But I think smtp and pop should be left to
mail server + tcpd [i.e hosts.allow and hosts.deny].
-Payal
On Tuesday 11 June 2002 03:07 am, you wrote:
> Hello...
> I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
> kernel iptables box. I have been able to setup incoming FTP connections
> through my firewall, but no luck on the email. Here's my script...I've
> pretty much added alot of extra stuff hoping that something would work and
> I could figure it out from there, but so far nothings worked. I must be
> missing something obvious!
>
> Any help is appreciated, and thanks to everyone who takes the time to
> respond!
>
>
> #Beginning of script
> #this was from someone's sample script..to load the modules.
>
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe iptable_filter
> /sbin/modprobe iptable_mangle
> /sbin/modprobe iptable_nat
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_limit
> /sbin/modprobe ipt_state
>
> #
> # 2.2 Non-Required modules
> #
>
> #/sbin/modprobe ipt_owner
> #/sbin/modprobe ipt_REJECT
> #/sbin/modprobe ipt_MASQUERADE
> #/sbin/modprobe ip_conntrack_ftp
> #/sbin/modprobe ip_conntrack_irc
>
>
>
> #some basic MASQ stuff so I can hit the internet!
> cp /home/main/ip_forward /proc/sys/net/ipv4
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> #rules for ftp in...working right now
>
> iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to
> 10.0.0.7:21
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 20 -j DNAT --to
> 10.0.0.7:20
>
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 21 -j ACCEPT
> iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 20 -j ACCEPT
>
> #rules for FTP out... NOT USED!!!!!!!!!
> #iptables -t nat -A POSTROUTING -p tcp --sport 21 -j ACCEPT
> #iptables -t nat -A POSTROUTING -p tcp --sport 20 -j ACCEPT
> #iptables -A INPUT -p tcp --sport 21 -j ACCEPT
> #iptables -A INPUT -p tcp --sport 20 -j ACCEPT
>
> #iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
> #iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
>
>
> #for POP3 and SMTP mail
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j ACCEPT
>
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
> iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
^ permalink raw reply [flat|nested] 7+ messages in thread[parent not found: <200206111923.23006@.>]
* Help with POP3/SMTP and MASQ
@ 2002-06-10 21:12 Felix D. Cat
2002-06-13 18:58 ` Antony Stone
0 siblings, 1 reply; 7+ messages in thread
From: Felix D. Cat @ 2002-06-10 21:12 UTC (permalink / raw)
To: netfilter
I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
kernel iptables box. I have been able to setup incoming FTP connections
through my firewall, but no luck on the email. Here's my script...I've
pretty much added alot of extra stuff hoping that something would work and I
could figure it out from there, but so far nothings worked. I must be
missing something obvious! Any help is appreciated, and thanks to everyone
who takes the time to respond!
#Beginning of script
#this was from someone's sample script..to load the modules.
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#
# 2.2 Non-Required modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#some basic MASQ stuff so I can hit the internet!
cp /home/main/ip_forward /proc/sys/net/ipv4
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#rules for ftp in...working right now
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to
10.0.0.7:21
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 20 -j DNAT --to
10.0.0.7:20
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 21 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 10.0.0.7 --dport 20 -j ACCEPT
#rules for FTP out... NOT USED!!!!!!!!!
#iptables -t nat -A POSTROUTING -p tcp --sport 21 -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp --sport 20 -j ACCEPT
#iptables -A INPUT -p tcp --sport 21 -j ACCEPT
#iptables -A INPUT -p tcp --sport 20 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 21 -j ACCEPT
#iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
#for POP3 and SMTP mail
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Help with POP3/SMTP and MASQ
2002-06-10 21:12 Felix D. Cat
@ 2002-06-13 18:58 ` Antony Stone
0 siblings, 0 replies; 7+ messages in thread
From: Antony Stone @ 2002-06-13 18:58 UTC (permalink / raw)
To: netfilter
On Monday 10 June 2002 10:12 pm, Felix D. Cat wrote:
> I've had had no luck getting POP3/SMTP going through my RedHat 7.1 2.4
> kernel iptables box. I have been able to setup incoming FTP connections
> through my firewall, but no luck on the email. Here's my script...
>
> #for POP3 and SMTP mail
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 25
> iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports 110
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 25 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 110 -j ACCEPT
>
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> iptables -A FORWARD -p tcp --dport 110 -j ACCEPT
>
> iptables -t nat -A POSTROUTING -p tcp --sport 25 -j ACCEPT
> iptables -t nat -A POSTROUTING -p tcp --sport 110 -j ACCEPT
You have no FORWARDing rules to allow reply packets back in.
You either need rules to allow packets from source port 25 & source port 110,
or preferably, a single rule allowing ESTABLISHED,RELATED packets in.
eg iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Antony.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2002-06-13 18:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-06-10 21:37 Help with POP3/SMTP and MASQ Linux Tek
2002-06-10 22:17 ` Michael Hudin
2002-06-11 2:21 ` Matthew Hellman
2002-06-11 13:54 ` Payal
[not found] ` <200206111923.23006@.>
2002-06-11 20:26 ` Tony Earnshaw
-- strict thread matches above, loose matches on Subject: below --
2002-06-10 21:12 Felix D. Cat
2002-06-13 18:58 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.