how to forward traffic to MS Exchange?

how to forward traffic to MS Exchange?

[Matthias F. Brandstetter]

Hi all,

I am using netfilter based firewalls sind several years now w/o any 
problems, same goes for netfilter based NAT.

Now I want to forward all incoming traffic on smtp port 25 on a gateway to 
an intern MS Exchange mailserver, so I tried to use this rule, as allways:

$IPTABLES -t nat -A PREROUTING -i $E_NIC -p tcp --dport 25 -j DNAT 
--to-destination 192.168.120.10:25

(where $IPTABLES is the iptables binary, and $E_NIC is extern NIC "ppp0")

I never had any problems with this rule, and I use the same with http port 
80 for MS Exchange webserver on the same net, w/o any problems.

But: After activating this rule and connectiong via telnet to port 25 on 
external address, I can connect to Exchange server, but connection 
immedeately is dropped afterwards (I get the "Connected to ..." and 
"Escape character is '^]'." lines, but after that a "Connection lost").

When I disable this rule and use rinetd [1] to forward smtp traffic 
instead, I get no errors and can connect to the Exchange server via 
telnet.

So my question: Is this an iptables or an Exchange issue? Do I have to 
provide another rule or change my existing rule to be able to connect to a 
MS Exchange server? I don't think it's an Exchange problem, since 
everything is ok when I use rinetd, as said.

Hopefully someone can help me, I have no ideas left :(
Greetings and TIA, Matthias

footnote:
[1] http://www.boutell.com/rinetd/

-- 
Mmm...incapacitating.

       		-- Homer Simpson
		   The Springfield Connection

Re: how to forward traffic to MS Exchange?

[Matthias F. Brandstetter]

---------- quoting Ludo Stellingwerff ----------
> You could try to SNAT the specific traffic to the LAN address of the
> firewall.
>
> Like: $IPTABLES -t nat -A POSTROUTING -o $LAN_NIC -p tcp --dport 25 -d
> 192.168.120.10  -j SNAT --to-source $LOCAL_LAN_ADDRESS
> (a very insecure setup, switch it off afterwards!)
>
> This will give you the possibility to rule-out accesscontrol issues in
> exchange. If still doesn't work it's more likely to be a netfilter
> problem, if it does work it's more likely an Exchange trouble.

Yep indeed, when I use your rule after my DNAT rule, I _can_ connect to 
Exchange server, so it seems this is the problem. Exchange server is not 
under my control, but now I know where to continue...

Thanks a lot for your help, Ludo!
Greetings, Matthias

-- 
Donuts.  Is there anything they can't do?

		-- Homer Simpson
		   Marge vs. the Monorail

Re: how to forward traffic to MS Exchange?

[John A. Sullivan III]

On Mon, 2004-06-07 at 07:11, Matthias F. Brandstetter wrote:
> Hi all,
> 
> I am using netfilter based firewalls sind several years now w/o any 
> problems, same goes for netfilter based NAT.
> 
> Now I want to forward all incoming traffic on smtp port 25 on a gateway to 
> an intern MS Exchange mailserver, so I tried to use this rule, as allways:
> 
> $IPTABLES -t nat -A PREROUTING -i $E_NIC -p tcp --dport 25 -j DNAT 
> --to-destination 192.168.120.10:25
> 
> (where $IPTABLES is the iptables binary, and $E_NIC is extern NIC "ppp0")
> 
> I never had any problems with this rule, and I use the same with http port 
> 80 for MS Exchange webserver on the same net, w/o any problems.
> 
> But: After activating this rule and connectiong via telnet to port 25 on 
> external address, I can connect to Exchange server, but connection 
> immedeately is dropped afterwards (I get the "Connected to ..." and 
> "Escape character is '^]'." lines, but after that a "Connection lost").
> 
> When I disable this rule and use rinetd [1] to forward smtp traffic 
> instead, I get no errors and can connect to the Exchange server via 
> telnet.
> 
> So my question: Is this an iptables or an Exchange issue? Do I have to 
> provide another rule or change my existing rule to be able to connect to a 
> MS Exchange server? I don't think it's an Exchange problem, since 
> everything is ok when I use rinetd, as said.
> 
> Hopefully someone can help me, I have no ideas left :(
> Greetings and TIA, Matthias
> 
> footnote:
> [1] http://www.boutell.com/rinetd/

I assume you have an access control rule somewhere that allows the
traffic to be forwarded to the Exchange server and that you are using
connection tracking or have another rule to allow the reply packets.

Given that, I would suggest tracing the packets to and from the Exchange
server with something like Ethereal (http://www.ethereal.com) and, if
the packets are getting lost within your firewall, tracing the packet
flow within your firewall with various strategically placed logging
rules to find out where it is breaking.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net