Mail server behind a firewall

Mail server behind a firewall

[Fernando Martins]

Hi,

 I have been looking for a solution for days and nights and I can't
find any solution to my problem.
 I have installed a Mail server behind a firewall , firewall I have
configured very badly with iptables.
 I want an exterior smtp server to be able to speak with mine but it is failing.
  My configuration is:



 INTERNET---------------------------------FIREWALL-------------------------------MAIL
SERVEUR
 ----------------------------------------------eth0-----------eth1-------------------------PrivateIP

 eht0 is the public interface with public adress A.


 How can I do this?


 Nandao
 nervous break down is close

Re: Mail server behind a firewall

[/dev/rob0]

On Monday 2005-November-21 15:10, Fernando Martins wrote:
>  I have been looking for a solution for days and nights and I can't
> find any solution to my problem.
>  I have installed a Mail server behind a firewall , firewall I have
> configured very badly with iptables.

If you do not understand iptables, I recommend that you get a script 
such as Arno's, MonMotha's, or Shorewall. (These in no particular order 
of preference, although I suspect if I took the time to read the docs I 
would choose Shorewall.)

>  I want an exterior smtp server to be able to speak with mine
>  but it is failing.

What did you try? How did it fail? What are your iptables rules?  How 
did you expect to get help without covering the basics?

>  My configuration is: 

... not clear from that. I guess you have a firewall on a public IP and 
you want to DNAT that to an internal mail server. But that is a guess.

>  nervous break down is close

And at this rate it's getting closer! :) Unless you take my advice to 
try Shorewall or similar, perhaps ...
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: Mail server behind a firewall

[Jesse Gordon]

Hi Nandao.

Comments below.

>----- Original Message ----- 
>From: "Fernando Martins" <martinsfernand@gmail.com>
>To: <netfilter@lists.netfilter.org>
>Sent: Monday, November 21, 2005 1:10 PM
>Subject: Mail server behind a firewall
>

>Hi,
>
> I have been looking for a solution for days and nights and I can't
>find any solution to my problem.
> I have installed a Mail server behind a firewall , firewall I have
>configured very badly with iptables.
> I want an exterior smtp server to be able to speak with mine but it is 
> failing.
>  My configuration is:
>
>
> INTERNET---------------------------------FIREWALL-------------------------------MAIL
>SERVEUR
> ----------------------------------------------eth0-----------eth1-------------------------PrivateIP
>
> eht0 is the public interface with public adress A.
>
>
> How can I do this?
>
> Nandao
>  nervous break down is close

I'm guessing that your eth1 has an IP like 192.168.0.3 or 10.0.0.3 or some 
such, and you want to forward ports.

The part of forwarding ports could look like this:

iptables -t nat -A PREROUTING -p TCP -i eth0 -d PublicAddress --dport 25 -J 
DNAT --to PrivateIP

This tells iptables that if a packet should come in eth0, with a target 
address of your public IP, to the destination port 25, it should be 
forwarded to (or re addressed to) PrivateIP.

For the above to work as it is, this firewall must also be the default 
gateway for the Mail Server, and must be working as a Masquerading NAT 
firewall.
(I assume it's already functioning as the internet sharing computer.)

Also, depending on your other firewall rules and policies, you may need to 
specifically allow the incoming ports, but I'd have to see your specific 
config to know exactly what you need, but it might look something like this 
as well:

iptables -A FORWARD -i eth0 -o eth1 -d MailServerIP -J ACCEPT

This tells iptables that any packet that comes in eth0, and goes out eth1, 
which has a destination IP of the mail server's private IP, to accept it.

Depending on your other policies, more accept rules may be needed. But 
hopefully this will get you started.

-Jesse