* accessing a internal port fowarded email server from the internal network
@ 2003-12-08 1:39 TN
2003-12-08 1:57 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: TN @ 2003-12-08 1:39 UTC (permalink / raw)
To: netfilter
Hi all,
I have a problem which I thought I'd seen the solution so somewhere, but
I just can't find the posting anymore.
I have an iptables firewall, and I port forward to an internal email
server on a 192.168.10.0/24 LAN network.
This all works fine, external email comes & goes OK. My problem is that
I want to allow internal network users to address the email server using
the external IP address of the firewall.
Currently, laptop users internal to the network need to then become
external when they work external to the LAN, and they have to either
setup 2 different email accounts (one using the internal email server IP
address, and one using the external IP address), or they have to
remember to change their server settings each time they move from
internal to external and vice-versa. Both of these are a pain for them.
I have attempted to allow this to work by using the following prerouting
rules & forward rules (default policies are DROP, DROP, ACCEPT)
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
192.168.10.12:25
iptables -t nat -A PREROUTING -p tcp --dport 110 -d -j DNAT --to
192.168.10.12:110
iptables -t nat -A PREROUTING -p tcp --dport 143 -d -j DNAT --to
192.168.10.12:143
iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.12/32 --destination-port
25 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.12/32 --destination-port
110 --syn -j ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.12/32 --destination-port
143 --syn -j ACCEPT
These are just more generalised rules that people commonly use for doing
port forwarding - I have just made them less strict by taking about the
input & output constraints in an attempt to allow external & internal
clients to access the email server via the external ip.
It doesn't work, the email client just times out, as if I'm still
blocking some part of the data stream.
What am I doing wrong ?
thanks.
-Tim
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: accessing a internal port fowarded email server from the internal network
2003-12-08 1:39 accessing a internal port fowarded email server from the internal network TN
@ 2003-12-08 1:57 ` Antony Stone
2003-12-08 6:39 ` Ralf Spenneberg
2003-12-09 13:13 ` Jamie Pratt
2 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2003-12-08 1:57 UTC (permalink / raw)
To: netfilter
On Monday 08 December 2003 1:39 am, TN wrote:
> Hi all,
>
> I have a problem which I thought I'd seen the solution so somewhere, but
> I just can't find the posting anymore.
>
> I have an iptables firewall, and I port forward to an internal email
> server on a 192.168.10.0/24 LAN network.
> This all works fine, external email comes & goes OK. My problem is that
> I want to allow internal network users to address the email server using
> the external IP address of the firewall.
>
> Currently, laptop users internal to the network need to then become
> external when they work external to the LAN, and they have to either
> setup 2 different email accounts (one using the internal email server IP
> address, and one using the external IP address), or they have to
> remember to change their server settings each time they move from
> internal to external and vice-versa. Both of these are a pain for them.
Configure the machines to connect by hostname instead of IP address, and use
split DNS to give the internal address to internal enquiries, and the
external address to external enquiries.
Alternatively put the mail server on a perimeter network instead of the
internal LAN, then both internal and external clients can connect using the
external IP address.
The reason your existing setup doesn't work is that internal clients connect
to the extenal address, which gets translated to the internal address, which
then replies direct to the client (ie not back through the reverse nat on the
firewall), therefore the client connects to address A and gets a reply from
address B, confusing it and making it unhappy.
Antony.
--
Perfection in design is achieved not when there is nothing left to add, but
rather when there is nothing left to take away.
- Antoine de Saint-Exupery
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: accessing a internal port fowarded email server from the internal network
2003-12-08 1:39 accessing a internal port fowarded email server from the internal network TN
2003-12-08 1:57 ` Antony Stone
@ 2003-12-08 6:39 ` Ralf Spenneberg
2003-12-09 13:13 ` Jamie Pratt
2 siblings, 0 replies; 4+ messages in thread
From: Ralf Spenneberg @ 2003-12-08 6:39 UTC (permalink / raw)
To: TN; +Cc: Netfilter
Am Mon, 2003-12-08 um 02.39 schrieb TN:
> Currently, laptop users internal to the network need to then become
> external when they work external to the LAN, and they have to either
> setup 2 different email accounts (one using the internal email server IP
> address, and one using the external IP address), or they have to
> remember to change their server settings each time they move from
> internal to external and vice-versa. Both of these are a pain for them.
> It doesn't work, the email client just times out, as if I'm still
> blocking some part of the data stream.
> What am I doing wrong ?
>
The client can reach the mailserver alright, but the mailserver tries to
respond directly to the client using the wrong IP-Address.
Easiest solution:
Apply both DNAT and SNAT at the same time. Add the following rule:
iptables -t nat -A POSTROUTING -p tcp -m multiport --dport 25,110,143 -d
192.168.10.12 -s 192.168.10.0/24 -j SNAT --to <firewall-ip>
Cheers,
Ralf
--
Ralf Spenneberg
RHCE, RHCX
Book: VPN mit Linux
Book: Intrusion Detection für Linux Server http://www.spenneberg.com
IPsec-Howto http://www.ipsec-howto.org
Honeynet Project Mirror: http://honeynet.spenneberg.org
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: accessing a internal port fowarded email server from the internal network
2003-12-08 1:39 accessing a internal port fowarded email server from the internal network TN
2003-12-08 1:57 ` Antony Stone
2003-12-08 6:39 ` Ralf Spenneberg
@ 2003-12-09 13:13 ` Jamie Pratt
2 siblings, 0 replies; 4+ messages in thread
From: Jamie Pratt @ 2003-12-09 13:13 UTC (permalink / raw)
To: netfilter
hi - I may be wrong, but there is probably nothing iptables can do for
you here on this - you should just give your public ip a dns A record
(probably has one already, or MX at least?) in the internet DNS, and
then set up a small DNS server on your internal lan/network and just add
an A record with the same hostname, but pointing to the private IP
instead. .. - set the users up to see the internal DNS address first in
the list, then just make the users always use the hostname, and all
should be work no matter where they are..
(I had this same problem but on a cisco pix firewalled network -
luckily, the pix is intelligent enough to do this on it's own, but that
was *going* to be how i solved the same problem)
if this doesn't work, or appeal to you, google for 'netsh' - a windows
util that will change connection settings via a short script that you
can set up on a user's laptop..
regards,
jamie
TN wrote:
> Hi all,
>
> I have a problem which I thought I'd seen the solution so somewhere, but
> I just can't find the posting anymore.
>
> I have an iptables firewall, and I port forward to an internal email
> server on a 192.168.10.0/24 LAN network.
> This all works fine, external email comes & goes OK. My problem is that
> I want to allow internal network users to address the email server using
> the external IP address of the firewall.
>
> Currently, laptop users internal to the network need to then become
> external when they work external to the LAN, and they have to either
> setup 2 different email accounts (one using the internal email server IP
> address, and one using the external IP address), or they have to
> remember to change their server settings each time they move from
> internal to external and vice-versa. Both of these are a pain for them.
>
> I have attempted to allow this to work by using the following prerouting
> rules & forward rules (default policies are DROP, DROP, ACCEPT)
>
> iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to
> 192.168.10.12:25
> iptables -t nat -A PREROUTING -p tcp --dport 110 -d -j DNAT --to
> 192.168.10.12:110
> iptables -t nat -A PREROUTING -p tcp --dport 143 -d -j DNAT --to
> 192.168.10.12:143
>
> iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.12/32 --destination-port
> 25 --syn -j ACCEPT
> iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.12/32 --destination-port
> 110 --syn -j ACCEPT
> iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.12/32 --destination-port
> 143 --syn -j ACCEPT
>
> These are just more generalised rules that people commonly use for doing
> port forwarding - I have just made them less strict by taking about the
> input & output constraints in an attempt to allow external & internal
> clients to access the email server via the external ip.
>
> It doesn't work, the email client just times out, as if I'm still
> blocking some part of the data stream.
> What am I doing wrong ?
>
> thanks.
> -Tim
>
>
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-12-09 13:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-12-08 1:39 accessing a internal port fowarded email server from the internal network TN
2003-12-08 1:57 ` Antony Stone
2003-12-08 6:39 ` Ralf Spenneberg
2003-12-09 13:13 ` Jamie Pratt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.