IPTABLES and SMTP

daveginorge · 01-24-2007, 12:39 PM

Hi All

I am using my FC5 box as a firewall to server 2003 running SMTP out
going mail server. I have redirected all port 25 traffic that comes in
the gateway to the windows box and this works fine from outside the lan.

My question is how do I redirect the port 25 traffic from the PC's on
the lan to the windows box. It all works if I use just the windows box
name "Server" but I would like it so that laptop users can access the
smtp server without having to change the smtp server settings in the
email client each time they travel.

Thanks in advance.

Here are the tables I am running.

# Windows Server 2003 IP 192.168.1.10.
# Public IP static. 195.195.195.195
# ETH0 Local Area Network
# ETH1 Internet
#
# Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# User defined chain for ACCEPTed TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

#
************************************************************************
*
# ***************** INPUT chain rules
*************************************
#
************************************************************************
*

# Rules for incoming packets
iptables -A INPUT -p ALL -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 192.168.1.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 195.195.195.195 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -d 192.168.1.255 -j ACCEPT

# Packets for ESTABLISHED connections
iptables -A INPUT -p ALL -d 195.195.195.195 -m state --state
ESTABLISHED,RELATED -j ACCEPT

# TCP rules

# DNS Lookup
iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 53 -j okay

# IDENTD service
iptables -A INPUT -p TCP -i eth1 -s 0/0 --destination-port 113 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth1 -s 0/0 --destination-port 53 -j ACCEPT

# IMCP rules
iptables -A INPUT -p ICMP -i eth1 -s 0/0 --icmp-type 8 -j DROP
iptables -A INPUT -p ICMP -i eth1 -s 0/0 --icmp-type 11 -j ACCEPT

# ******************************************************************
# ******************* FORWARD chain rules **************************
# ******************************************************************

# Accept the packets to forward

# SMTP
iptables -A FORWARD -p tcp -i eth1 --dport 25 -d 192.168.1.10 -j ACCEPT

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# ******************************************************************
# ******************** OUTPUT chain rules **************************
# ******************************************************************

# Only packets with a local address (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 195.195.195.195 -j ACCEPT

# ******************************************************************
# ******************** PREROUTING chain values ********************
# ******************************************************************

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to
192.168.1.10:25

# ******************************************************************
# ******************** POSTROUTING chain values ********************
# ******************************************************************
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source
195.195.195.195

Brian1 · 01-24-2007, 04:14 PM

Check out the links in post #4. http://www.linuxquestions.org/questi...highlight=dnat
This is common on store bought routers and the same to linux unless the addtion of some dnat iptable commands to redirect it correctly on the wan side of the linux router. There are a few other post on this. Use the advanced search tool here for dnat and user Capt_Caveman.

Brian