From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Stanislav Puffler DiS." Subject: tcp packets on 25 port FORWARDING Date: Fri, 12 Mar 2004 10:46:41 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0041_01C4081F.4DB6F1E0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0041_01C4081F.4DB6F1E0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Hi there, I need to forward all tcp packets with port 25 (SMTP) from Internet to machine in my network. My settings (eth0 =3D internet IP, eth1 =3D = 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 =3D 192.168.0.1 = - gateway - LAN). Have opened port 25 and setup rule : =20 iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to 192.168.200.2:85 =20 iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state -state NEW,ESTABLISHED,RELATED -j ACCEPT =20 But it still doesn=B4t route tcp packets on port 25 to my Postfix = computer :o( If I try telnet 192.168.200.2 25 from FW it works, if I try this from Internet, it doesn=B4t work :o( Any ideas ? Thanks a lot. Stan. =20 ------=_NextPart_000_0041_01C4081F.4DB6F1E0 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable

Hi there,

I need to forward all tcp packets with port 25 (SMTP) = from Internet to machine in my network. My settings (eth0 =3D internet IP, = eth1 =3D 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 = =3D 192.168.0.1 – gateway - LAN). Have opened port 25 and setup rule = :

iptables –t nat –A PREROUTING –p = tcp –dport 25 – i eth0 –j DNAT –to = 192.168.200.2:85

iptables –A FORWARD –i eth0 –p tcp –d 192:168.200.2 –dport 25 –m state –state NEW,ESTABLISHED,RELATED –j ACCEPT

But it still doesn=B4t route tcp packets on port 25 = to my Postfix computer :o( If I try telnet 192.168.200.2 25 from FW it works, = if I try this from Internet, it doesn=B4t work :o( Any ideas ? Thanks a = lot…

Stan.

------=_NextPart_000_0041_01C4081F.4DB6F1E0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: tcp packets on 25 port FORWARDING Date: Fri, 12 Mar 2004 09:57:16 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200403120957.16154.Antony@Soft-Solutions.co.uk> References: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Friday 12 March 2004 9:46 am, Stanislav Puffler DiS. wrote: > Hi there, > > I need to forward all tcp packets with port 25 (SMTP) from Internet to > machine in my network. My settings (eth0 = internet IP, eth1 = > 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 = > 192.168.0.1 - gateway - LAN). Have opened port 25 and setup rule : > > iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to > 192.168.200.2:85 That should be "--dport", not "-dport", and why are you changing the destination port number to 85? Is Postfix listening on port 25? > iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state > -state NEW,ESTABLISHED,RELATED -j ACCEPT That should also read "--dport", not "-dport", also "--state", not "-state". If you have typed out your rules in this email and made some mistakes, then please *cut and paste* your ruleset so we really know what is running. Regards, Antony. -- Ramdisk is not an installation procedure. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: Re: tcp packets on 25 port FORWARDING Date: 12 Mar 2004 10:03:50 UT Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="macroman" To: netfilter@lists.netfilter.org Try this: LAN_IP=3D$(ifconfig eth1 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1) ipatbles -t nat -A PREROUTING -i *EXT-NIC* -p tcp --dport 25 -j DNAT --to_destination *POSTFIX-IP* iptables -t nat -A POSTROUTING -o *INT-NIC* -p tcp --dport 25 -j SNAT --to-source $LAN_IP iptables -A FORWARD -i *EXT-NIC* -m state --state NEW -p tcp -d *POSTFIX-IP* --dport 25 -j ACCEPT EXT-NIC =3D your external Network Interface (eth0, eth1...) INT-NIC =3D your internal Network Interface (eth1, eth2...) where your Postfix Server is connected to POSTFIX-IP =3D The IP of your Postfix Server That should work. Mit freundlichen Gru=DF / Best regards / Meilleures salutation / Met vriendelijke groet Peter Gehle Systemberatung Gehle GmbH Im Bahler Grund 5 D-49413 Dinklage Germany Phone : +49 4443 9796-12 Fax : +49 4443 9796-29 www.sbgit.com Original Message processed by Tobit InfoCenter Subject: tcp packets on 25 port FORWARDING (12-Mrz-2004 10:50) From: stanislav.puffler@seznam.cz To: peter.gehle@sbgit.com Hi there, I need to forward all tcp packets with port 25 (SMTP) from Internet to machine in my network. My settings (eth0 =3D internet IP, eth1 =3D 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 =3D 192.168.0.1 - gateway - LAN). Have opened port 25 and setup rule : iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to 192.168.200.2:85 iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state -state NEW,ESTABLISHED,RELATED -j ACCEPT But it still doesn't route tcp packets on port 25 to my Postfix computer :o( If I try telnet 192.168.200.2 25 from FW it works, if I try this from Internet, it doesn't work :o( Any ideas ? Thanks a lot. Stan. To: stanislav.puffler@seznam.cz Cc: netfilter@lists.netfilter.org From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: tcp packets on 25 port FORWARDING Date: Fri, 12 Mar 2004 10:21:45 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200403121021.45434.Antony@Soft-Solutions.co.uk> References: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Friday 12 March 2004 10:03 am, peter.gehle@sbgit.com wrote: > Try this: > > LAN_IP=$(ifconfig eth1|head -n 2|tail -n 1|cut -d: -f2|cut -d" " -f1) A simpler version is `ifconfig eth1|grep inet|tr -s ': ' '\t'|cut -f4` > iptables -t nat -A PREROUTING -i *EXT-NIC* -p tcp --dport 25 -j DNAT > --to_destination *POSTFIX-IP* > iptables -t nat -A POSTROUTING -o *INT-NIC* -p tcp --dport 25 -j SNAT > --to-source $LAN_IP Why include this rule? It will make all email received by the Postfix machine appear to come from the Firewall, not the real IP address of the sending server. This will make anti-spam measures more difficult / less effective. > iptables -A FORWARD -i *EXT-NIC* -m state --state NEW -p tcp -d *POSTFIX-IP* > --dport 25 -j ACCEPT What about NEW packets from inside to outside (eg delivering mail to the Internet?) Also don't forget that a mail server is likely to want to do things like DNS lookups. Regards, Antony. -- Having been asked for a reference for this man, I can confirm that you will be very lucky indeed if you can get him to work for you. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Stanislav Puffler DiS." Subject: RE: tcp packets on 25 port FORWARDING Date: Fri, 12 Mar 2004 11:47:45 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: References: <200403120957.16154.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <200403120957.16154.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1" To: netfilter@lists.netfilter.org My mistake, have this written with --dport and --state. But still = doesn=B4t work. Here are my rulesets for table nat : Chain PREROUTING (policy ACCEPT) target prot opt source destination =20 DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 to:192.168.200.2:25=20 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 = redir ports 3128=20 DROP all -- 192.168.0.0/16 0.0.0.0/0 =20 DROP all -- 172.16.0.0/12 0.0.0.0/0 =20 DROP all -- 10.0.0.0/8 0.0.0.0/0 =20 Chain POSTROUTING (policy ACCEPT) target prot opt source destination =20 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 =20 Chain OUTPUT (policy ACCEPT) target prot opt source destination =20 And for filtering : Chain INPUT (policy DROP) target prot opt source destination =20 tcp_segmenty tcp -- 0.0.0.0/0 0.0.0.0/0 =20 udp_pakety udp -- 0.0.0.0/0 0.0.0.0/0 =20 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0=20 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3=20 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8=20 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 = ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 reject-with icmp-port-unreachable=20 spoofing all -- 0.0.0.0/0 0.0.0.0/0 =20 syn_flood tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02=20 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5=20 ACCEPT all -- 80.95.96.7 0.0.0.0/0 =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 Chain FORWARD (policy DROP) target prot opt source destination =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED=20 ACCEPT tcp -- 0.0.0.0/0 192.168.200.2 tcp dpt:25 = state NEW,RELATED,ESTABLISHED=20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED=20 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 =20 spoofing all -- 0.0.0.0/0 0.0.0.0/0 =20 Chain OUTPUT (policy DROP) target prot opt source destination =20 ACCEPT all -- 127.0.0.1 0.0.0.0/0 =20 ACCEPT all -- 192.168.0.1 0.0.0.0/0 =20 ACCEPT all -- 192.168.200.1 0.0.0.0/0 =20 ACCEPT all -- 82.142.67.253 0.0.0.0/0 =20 Chain spoofing (2 references) target prot opt source destination =20 DROP all -- 192.168.0.0/16 0.0.0.0/0 =20 DROP all -- 172.16.0.0/12 0.0.0.0/0 =20 DROP all -- 10.0.0.0/8 0.0.0.0/0 =20 Chain syn_flood (1 references) target prot opt source destination =20 RETURN all -- 0.0.0.0/0 0.0.0.0/0 limit: avg = 1/sec burst 5=20 DROP all -- 0.0.0.0/0 0.0.0.0/0 =20 Chain tcp_segmenty (1 references) target prot opt source destination =20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25=20 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80=20 Chain udp_pakety (1 references) target prot opt source destination =20 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 Will try the help from Peter Gehle also, if it will run. Thanks... Stan -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone Sent: Friday, March 12, 2004 10:57 AM To: netfilter@lists.netfilter.org Subject: Re: tcp packets on 25 port FORWARDING On Friday 12 March 2004 9:46 am, Stanislav Puffler DiS. wrote: > Hi there, > > I need to forward all tcp packets with port 25 (SMTP) from Internet to > machine in my network. My settings (eth0 =3D internet IP, eth1 =3D > 192.168.200.1 - dmz IP connected to another machine with Postfix, eth2 = =3D > 192.168.0.1 - gateway - LAN). Have opened port 25 and setup rule : > > iptables -t nat -A PREROUTING -p tcp -dport 25 - i eth0 -j DNAT -to > 192.168.200.2:85 That should be "--dport", not "-dport", and why are you changing the=20 destination port number to 85? Is Postfix listening on port 25? > iptables -A FORWARD -i eth0 -p tcp -d 192:168.200.2 -dport 25 -m state > -state NEW,ESTABLISHED,RELATED -j ACCEPT That should also read "--dport", not "-dport", also "--state", not = "-state". If you have typed out your rules in this email and made some mistakes, = then=20 please *cut and paste* your ruleset so we really know what is running. Regards, Antony. --=20 Ramdisk is not an installation procedure. Please reply to the list; please don't = CC me.