SMTP & POP Issues

["Michael Hudin" <hudin@zoetrope.com>]

[-- Attachment #1: Type: text/plain, Size: 3709 bytes --]

Still haven't gotten my head fully wrapped around iptables and am having some problems getting at my mail server on the LAN (also SSH on that machine, but that is another question).  

My setup is: 
eth0 - external interface at 10.10.10.254 with IP Aliases of 10.10.10.250, 10.10.10.251, 10.10.10.252, and 10.10.10.253.  
eth1 is the gateway for the LAN at 192.168.77.1  
This machine is acting as the gateway for my private LAN and is also my VPN server.  I can't connect to ports 25 and 110 (SMTP and POP) from the outside world.  The machine which I am trying to conenct to is at 192.168.77.2 and I've set up aliases on it just for the sake of clarity at 192.169.77.80 and 192.168.77.110 where the 80 one is for virtual hosts in Apache (which the forwarding is working fine for) and the 110 one is where I am trying access my mail server.  There currently is no firewall on this internal machine, so there is very little to get in the way of communication.  Below is my configuration file (yes, it has been created through the iptables-save function and some hand editing, I'm not much of a scripter)  I probably have a POSTROUTING rule configured incorrectly or something of that nature I'd guess.

I also realize that this is a rather unsecure set of rules, so some basic things I could add along the way would be appreciated.

Thanks!

-michael

*filter
:INPUT ACCEPT [0:229546]
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j ACCEPT
:FORWARD ACCEPT [0:1487351]
-A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 22 -j ACCEPT
-A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT
-A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT
-A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 110 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
:OUTPUT ACCEPT [0:619218]
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT

*nat
:PREROUTING ACCEPT [0:65535]
-A PREROUTING -d 10.10.10.250 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.77.2:22
-A PREROUTING -d 10.10.10.250 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.2:80
-A PREROUTING -d 10.10.10.251 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.80:80
-A PREROUTING -d 10.10.10.252 -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.77.110:25
-A PREROUTING -d 10.10.10.252 -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.77.110:110
:POSTROUTING ACCEPT [0:9862]
-A POSTROUTING -d 192.168.77.110 -o eth1 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.10.10.252
-A POSTROUTING -d 192.168.77.110 -o eth1 -p tcp -m tcp --dport 110 -j SNAT --to-source 10.10.10.252
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254
:OUTPUT ACCEPT [66:4152]
COMMIT

*mangle
:PREROUTING ACCEPT [13512:2397711]
:INPUT ACCEPT [8743:614224]
:FORWARD ACCEPT [4559:1760428]
:OUTPUT ACCEPT [6375:628610]
:POSTROUTING ACCEPT [10849:2382506]
COMMIT




Michael Hudin
Sentinel Systems Support
www.zoetrope.com

[-- Attachment #2: Type: text/html, Size: 5177 bytes --]