LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-13-2007, 10:00 PM   #1
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Rep: Reputation: 15
forwarding ssl port to a different ssl port number on a different machine


i have had a look through the forum here and can't see anything like the problem i'm going through at the mo - so just asking for advice or how you would tackle this problem.

here it is:

i have 2 mail servers serving ssl encrypted pop3 (port 995) and ssl encrypted smtp (port 465) - they do not allow users to send email through unencrypted smtp port 25.

unfortunately in moving some clients over we have found a problem with a major isp - that is that they filter out the smtp packets sent on port 465 to our servers.

the obvious solution would be to change the ssl smtp port on the servers, but unfortunately this is not a viable option as i have absolutely no control over the servers at all. - i mean i have the physical machines but i do not have any passwords .. etc.

so what i thought the next best idea would be is to use another machine that i have (currently two available with no real tasks (one running debian 3r(something (latest as of 3 days ago)) and one running slackware 11) and use it to serve encrypted ssl on for example port 25 (but any so long as the isp doesnt filter that specific port) and then forward that on to the existing mail servers on port 465 so that basically the client cannot tell the difference and it would be as if they were using the existing mail servers (obviously using a different server name for sending but otherwise...)

i am still very newbie to linux - even tho i have learnt much since i have started using it - and thus have absolutely no idea how to do this without using something like ip cop as the machine to do the port forwarding - except that this wouldnt be ideal as the machines need to be directly out on the internet - not behind a firewall.

i really would appreciate your views on this - the best solution - a program i may need to use - or anything you think helpful.

thanks in advance
 
Old 03-14-2007, 02:27 PM   #2
Quigi
Member
 
Registered: Mar 2003
Location: Cambridge, MA, USA
Distribution: Ubuntu (Dapper and Heron)
Posts: 377

Rep: Reputation: 31
Yesterday we had this thread: http://www.linuxquestions.org/questi...d.php?t=536957

Assuming a mail server has IP address 10.0.0.99, and you're sure you want to serve encryped SMTP on :25, you'd use something like
Code:
iptables -t nat -A PREROUTING -i $WAN_IF -p tcp --dport 25 -j DNAT --to-destination 10.0.0.99:465
You hope
Quote:
basically the client cannot tell the difference and it would be as if they were using the existing mail servers
They will also have to enable ssl encryption in spite of talking to port 25. This may confuse users or their software. It might be better to use some high port, like 10465, instead of a well-known port with a slightly different purpose.
 
Old 03-14-2007, 05:04 PM   #3
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
it certainly does confuse users unfortunately - but we can deal with their confusion because we can visit most of our clients who have trouble easily and will happily setup the email for them.

we cannot however sort out the issue that 3 in the first 5 users migrated to our new servers were unable to send becuase their isp filtered smtp on 465 (due to spam related issues) now unfortuantely i'm rather junior in the company and the guy who set up the mail servers doesnt have such a grasp on business (the client is right more often than not + and make the client happy)(not to dis him or anything because hes a technical genious - he just doesnt do clients) he says its the clients problem and they've got to deal with it - get a new isp or something - and so he wont change the ports on the server or give me or anyone else access to the servers to change the port.

however - and this is my problem - i could do port forwarding if the mail servers were on an internal network - but they each have seperate WAN ip addresses and connect directly to the web - not through any kind of firewall or anything. so i need something that will do the port forwarding while itself having a WAN ip address and using just that one NIC and that one address to forward the port.

so really im looking for something like wan port 25 to wan port 465 on host...

if this is possible.




thanks

Last edited by coal-fire-ice; 03-14-2007 at 05:06 PM.
 
Old 03-14-2007, 05:17 PM   #4
Quigi
Member
 
Registered: Mar 2003
Location: Cambridge, MA, USA
Distribution: Ubuntu (Dapper and Heron)
Posts: 377

Rep: Reputation: 31
Quote:
Originally Posted by coal-fire-ice
we cannot however sort out the issue that 3 in the first 5 users migrated to our new servers were unable to send becuase their isp filtered smtp on 465 (due to spam related issues)
Their ISP wants them to talk to the ISP's SMTP server and no one else. (Quite possibly 25 is blocked too.) Of course that's wrong on the ISPs' part, but what can you do? Cheat.

Quote:
however - and this is my problem - i could do port forwarding if the mail servers were on an internal network - but they each have seperate WAN ip addresses and connect directly to the web - not through any kind of firewall or anything. so i need something that will do the port forwarding while itself having a WAN ip address
Did you try it? What happened? For an experiment, you could just tunnel with ssh (instead of using iptables).

Quote:
and using just that one NIC and that one address to forward the port.
You can leave out "-i $WAN_IF" then. It shouldn't matter.

Yes it's possible. What happens when you try?
 
Old 03-14-2007, 06:25 PM   #5
coal-fire-ice
Member
 
Registered: Nov 2004
Location: SE England
Distribution: Debian, SUSE, Ubuntu, Slackware
Posts: 147

Original Poster
Rep: Reputation: 15
we know the isp wont block smtp on port 25 - because we have been using that before with this particular isp.

i have never used iptables before or even heard of it till this problem. and i have no idea where to start with it. so

please correct me if i'm wrong

and will slack 11 have it installed by default (i just installed everything it came with except tcl/ tcx or whatever it was and the extra languages.


so the command i give would be:

iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 213.38.x.x:465

and the desired effect is to - translate port 25 on the machine i give the command into port 465 on 213.38.x.x

is this right?

presumably this would also work if i substituted port 25 for a different port like 10465 like you previously suggested

thanks for all the help so far

Last edited by coal-fire-ice; 03-14-2007 at 06:26 PM.
 
Old 03-15-2007, 09:26 AM   #6
Quigi
Member
 
Registered: Mar 2003
Location: Cambridge, MA, USA
Distribution: Ubuntu (Dapper and Heron)
Posts: 377

Rep: Reputation: 31
Most likely iptables gets installed by default. Try iptables -L; it should list the content of the "filter" table, even if it's quite empty. If iptables is not installed, you get a message to that effect. A command line similar to what you quote should work. (I did not try this; it may need some tweaking, and I don't know how.)

While iptables is the better, more permanent solution, I found it easier to temporarily forward a port using ssh. E.g.,
Code:
ssh -g -L 8765:www.google.com:80 localhost
(This forwarding feature can be used to tunnel ports through an ssh connection. When connecting to localhost, the "L"ocal and "R"emote side are the same machine. The -g option, which only works with -L lets you create a gateway, i.e., it listens on all your interfaces, so other clients can use it too.)
Anyway, while that shell is running, anyone can point their browser at http://yourhost:8765, and they'll see exactly what they'd get at www.google.com. I choose the HTTP example because it's easy to see a result.

Note that if you want to listen on a port < 1024 (instead of 8765), you need to run ssh as root, e.g., inside sudo.

Try this experiment (substituting SSL SMTP port 465) to see the forwarding for access to mail servers. BTW, there's one question we haven't addressed: how is traffic distributed across your two servers.
 
Old 03-15-2007, 12:30 PM   #7
Quigi
Member
 
Registered: Mar 2003
Location: Cambridge, MA, USA
Distribution: Ubuntu (Dapper and Heron)
Posts: 377

Rep: Reputation: 31
OK, now I did try it out with iptables instead of ssh. This time I forwarded port 8880 of host 192.168.2.5; I had to use an IP address instead of the name for Google. I had this written up when my browser crashed. So here goes again, in short -- I'll be happy to fill in the gaps, so please please ask specific questions.

I needed the following commands, all of which require root privilege (except "echo 1", but writing to /proc does, e.g., by tee)[/B]
Code:
iptables -A PREROUTING -t nat -p tcp -d 192.168.2.5 --dport 8880 -j DNAT --to 64.233.161.99:80
iptables -I FORWARD -p tcp -d 64.233.161.99 --dport 80 -j ACCEPT
iptables -A POSTROUTING -t nat -p tcp -d 64.233.161.99 --dport 80 -j SNAT --to 192.168.2.5
echo 1 | tee /proc/sys/net/ipv4/ip_forward
You can inspect your chains, before and after modifying them with the above commands by, e.g.,
Code:
iptables -L FORWARD
iptables -t nat -L
The ssh solution is simple but ephemeral -- it only lasts as long as the ssh session. With iptables, it stays in effect until you reboot, or remove the rules using iptables -D. And if you save the rules to the right place, the redirection will persist, i.e., it gets re-established at reboot. Different distributions save in different places, e.g., /etc/sysconfig/iptables or /var/lib/iptables/rules-save. However, saving your tables once they work may be as simple as
Code:
/etc/init.d/iptables save
Otherwise, use some GUI tool (don't ask me!) or read the script /etc/init.d/iptables to find where things are.

NAT-HOWTO, man iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to deploy SSL(443) port? ukrainet Linux - Newbie 7 04-13-2005 10:47 AM
port number in nxserver (no machine [!M]) Bad_Bob Linux - Software 0 11-05-2004 03:51 PM
Apache2 SSL works, but need to close port 80 now data1 Linux - Software 0 10-11-2004 03:41 PM
Getting SSL onto PORT 443 kuso Linux - Software 6 03-10-2004 11:41 PM
Change IPCop SSL port euangel Linux - Security 1 07-10-2003 06:28 AM


All times are GMT -5. The time now is 11:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration