LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-26-2006, 07:42 PM   #1
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Rep: Reputation: 53
iptables - port forwarding


Hi folks,

Ubuntu-6.06.1-LAMP-server-amd64

Which file I have to check the policy of iptables to see;

- whether having forwarded port 25 to server?

$ sudo iptables -L
Code:
Password:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/S YN tcpmss match 1400:1536 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
I need to enable forwarding port 25 to server

Which file contains "server name" ?

I suppose iptables is running;

$ dpkg -l | grep iptables
Code:
ii  iptables                                         1.3.3-2ubuntu4
              Linux kernel 2.4+ iptables administration to
Is there any other way to check?

TIA


B.R.
satimis

Last edited by satimis; 11-26-2006 at 07:56 PM.
 
Old 11-27-2006, 12:33 AM   #2
sal_paradise42
Member
 
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150

Rep: Reputation: 16
should be on the nat table

"iptables -nL -t nat | grep 25"
 
Old 11-27-2006, 02:12 AM   #3
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by sal_paradise42
should be on the nat table

"iptables -nL -t nat | grep 25"
Hi sal_paradise42,

Tks for your advice

$ sudo iptables -nL -t nat | grep 25
No printout

I don't know whether ISP blocks port 25 or I need to enable port forwarding on port 25 to server.

Performed following test;

$ sudo /etc/init.d/firewall stop
Code:
Removing all iptables rules:  [End of flush]
$ sudo telnet localhost 25
Code:
Password:
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 server1.example.com ESMTP Postfix (Ubuntu)
ehlo satimis.homelinux.com
250-server1.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
mail from: myself@satimis.homelinux.com
250 Ok
rcpt to: satimis@yahoo.com
250 Ok
data
354 End data with <CR><LF>.<CR><LF>

Subject: Test

This is a test, a test
.
250 Ok: queued as 72999754068
quit
221 Bye
Connection closed by foreign host.
No error found on /var/log/mail.err, only an empty file.

$ cat /var/log/mail.log
Code:
......
Nov 27 14:21:40 ubuntu postfix/smtp[5600]: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5597]: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5600]: 8452B754052: to=<satimis@yahoo.com>, relay=none, delay=232642, status=deferred (connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/smtp[5597]: 1A25F754050: to=<satimis@yahoo.com>, relay=none, delay=232996, status=deferred (connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/smtp[5598]: connect to h.mx.mail.yahoo.com[66.196.97.250]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5598]: 58B9D75404C: to=<satimis@yahoo.com>, relay=none, delay=365906, status=deferred (connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/smtp[5596]: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out (port 25)
Nov 27 14:21:40 ubuntu postfix/smtp[5596]: 172E6754048: to=<satimis@yahoo.com>, relay=none, delay=410465, status=deferred (connect to h.mx.mail.yahoo.com[66.196.97.250]: Connection timed out)
Nov 27 14:21:40 ubuntu postfix/qmgr[5587]: D50EC754060: to=<satimis@yahoo.com>, relay=none, delay=66296, status=deferred (delivery temporarily suspended: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:22:44 ubuntu postfix/smtpd[5970]: connect from localhost.localdomain[127.0.0.1]
Nov 27 14:25:27 ubuntu postfix/smtpd[5970]: 72999754068: client=localhost.localdomain[127.0.0.1]
Nov 27 14:25:53 ubuntu postfix/cleanup[5981]: 72999754068: message-id=<20061127062527.72999754068@server1.example.com>
Nov 27 14:25:53 ubuntu postfix/qmgr[5587]: 72999754068: from=<myself@satimis.homelinux.com>, size=416, nrcpt=1 (queue active)
Nov 27 14:25:53 ubuntu postfix/qmgr[5587]: 72999754068: to=<satimis@yahoo.com>, relay=none, delay=44, status=deferred (delivery temporarily suspended: connect to h.mx.mail.yahoo.com[209.191.118.103]: Connection timed out)
Nov 27 14:26:00 ubuntu postfix/smtpd[5970]: disconnect from localhost.localdomain[127.0.0.1]
Tried gmail.com with same result.

Is there any way checking ISP. Before I came across a thread running "cpan" checking port 25 unforunately I forgot the command line.

Tks.


B.R.
satimis
 
Old 11-27-2006, 04:46 AM   #4
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Hi sal_paradise42,

found port 25 is not blocked by ISP

http://www.grc.com/default.htm
ShieldsUP!

Port 25
Code:
GRC Port Authority Report created on UTC: 2006-11-27 at 09:24:50

Results from probe of port: 25

    1 Ports Open
    0 Ports Closed
    0 Ports Stealth
---------------------
    1 Ports Tested

THE PORT tested was found to be: OPEN.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.
Common ports
Code:
----------------------------------------------------------------------

GRC Port Authority Report created on UTC: 2006-11-27 at 09:20:22

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 
                            119, 135, 139, 143, 389, 443, 445, 
                            1002, 1024-1030, 1720, 5000

    4 Ports Open
   17 Ports Closed
    5 Ports Stealth
---------------------
   26 Ports Tested

Ports found to be OPEN were: 25, 110, 143, 443

Ports found to be STEALTH were: 80, 135, 139, 445, 5000

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.
$ dpkg -l | grep postfix
Code:
ii  postfix                                          2.2.10-1ubuntu0.1              A high-performance mail transport agent
$ dpkg -l | grep courier
Code:
ii  courier-authdaemon                               0.47-13ubuntu5.1              Courier Mail Server - Authentication daemon
ii  courier-base                                     0.47-13ubuntu5.1              Courier Mail Server - Base system
ii  courier-imap                                     3.0.8-13ubuntu5.1              Courier Mail Server - IMAP server
ii  courier-imap-ssl                                 3.0.8-13ubuntu5.1              Courier Mail Server - IMAP over SSL
ii  courier-pop                                      0.47-13ubuntu5.1              Courier Mail Server - POP3 server
ii  courier-pop-ssl                                  0.47-13ubuntu5.1              Courier Mail Server - POP3 over SSL
ii  courier-ssl                                      0.47-13ubuntu5.1              Courier Mail Server - SSL/TLS Support
They are running.

Firewall stopped during test.
$ sudo /etc/init.d/firewall stop
Password:
Removing all iptables rules: [End of flush]


There must be somethings else.

Tks.

B.R.
satimis
 
Old 11-27-2006, 05:13 AM   #5
nuxrl
Member
 
Registered: Jun 2006
Location: NY, USA
Distribution: Slackware, Arch
Posts: 176

Rep: Reputation: 35
You need to tell us a little more before people can help you. How do you connect to the Internet? Is there a router between the the server and the ISP's connection? What you have done shows us,

1. your mail server is listening on port 25;
2. you have Internet connection and the outgoing traffic to port 25 is not blocked.

If there's a router involved, forward traffic on port 25 to your local server and use another box not from your home network (from net cafe or work sth, for example) and try
Code:
telnet your_domain/wan_IP 25
Most ISPs block incoming traffic on port 25. If that's the case, you need,
1. run postfix on another port other than default 25;
2. find another place to forward traffic to 25 to your new port.

Hope this helps.
 
Old 11-27-2006, 05:58 AM   #6
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Hi nuxrl,

Tks for your advice.

Quote:
How do you connect to the Internet? Is there a router between the the server and the ISP's connection? What you have done shows us,
The server is connected to ISP via an ADSL modem, which is only a modem, no setup is needed. Another end of the modem is connected to a telephone wall socket.

Quote:
1. your mail server is listening on port 25;
2. you have Internet connection and the outgoing traffic to port 25 is not blocked.
Yes, I stopped iptables before making the test. Is there any other device or file blocking port 25

Quote:
try
Code:
telnet your_domain/wan_IP 25
$ sudo telnet satimis.homelinux.com/wan_IP 25
Code:
telnet: could not resolve satimis.homelinux.com/wan_IP/25: Name or service not known
I expect to clarify following first. After registration DYNDNS.ORG sent me a reply
Code:
Hostname:  satimis.homelinux.com
IP Address: 58.152.161.53
Wildcard:  Y
Mail Exchanger: None
Backup MX:  Y
Is it "Hostname"="mydomain"? Tks

Quote:
Most ISPs block incoming traffic on port 25. If that's the case, you need,
1. run postfix on another port other than default 25;
2. find another place to forward traffic to 25 to your new port.
From "GRC Port Authority Report" port 25 is open. Neither it is stealth


B.R.
satimis
 
Old 11-27-2006, 07:57 AM   #7
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Satimis,

Few points :
1. As neither you are having default FORWARD policy as DROP & nor you are running any other explicit rules at FORWARD to DROP; the only thing you need to forward any packets recieved from internet to another box(server) is DNATing.

2. I did'nt found 25 port in OPEN state at your ip. (I nmaped you for this)

Quote:
Originally Posted by satimis
I need to enable forwarding port 25 to server
Which file contains "server name" ?
3. At any point use can refer your server via its ip as well in case of its host/domain name.

So My suggestion is to add a DNAT rule to your firewall running at this box & leave FORWARD chain as it is.(though it is not suggestible)
 
Old 11-27-2006, 08:32 AM   #8
nuxrl
Member
 
Registered: Jun 2006
Location: NY, USA
Distribution: Slackware, Arch
Posts: 176

Rep: Reputation: 35
Hi Satimis,

Thanks for the information.

Beisdes amitsharma_26's suggestion to use a DNAT rule in iptables, another option is to change /etc/postfix/main.cf to have,

Code:
inet_interfaces = all
and restart postfix. This will force postfix to listen on all active interfaces on your server.
 
Old 11-27-2006, 09:21 AM   #9
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Hi nuxrl,

Tks for your advice.

Quote:
Beisdes amitsharma_26's suggestion to use a DNAT rule in iptables, another option is to change /etc/postfix/main.cf to have,

Code:
inet_interfaces = all
$ cat /etc/postfix/main.cf | grep inet_interfaces
Code:
inet_interfaces = all
It is already there.

$ cat /etc/postfix/main.cf
Code:
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = /etc/postfix/local-host-names
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
mailbox_command =
home_mailbox = Maildir/
virtual_maps = hash:/etc/postfix/virtusertable
B.R.
satimis
 
Old 11-27-2006, 09:58 AM   #10
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Hi amitsharma_26,

Tks for your advice.

Quote:
2. I did'nt found 25 port in OPEN state at your ip. (I nmaped you for this)
Performed following tests;

To scan all reserved TCP ports on the PC satimis.homelinux.con
$ sudo nmap -v satimis.linux.com
Code:
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-27 22:43 HKT
DNS resolution of 1 IPs took 8.29s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 2, CN: 1]
Initiating SYN Stealth Scan against ostg.com (66.35.250.177) [1674 ports] at 22:43
Discovered open port 80/tcp on 66.35.250.177
Increasing send delay for 66.35.250.177 from 0 to 5 due to max_successful_tryno increase to 4
Increasing send delay for 66.35.250.177 from 5 to 10 due to max_successful_tryno increase to 5
Increasing send delay for 66.35.250.177 from 10 to 20 due to max_successful_tryno increase to 6
Increasing send delay for 66.35.250.177 from 20 to 40 due to 11 out of 12 dropped probes since last increase.
SYN Stealth Scan Timing: About 3.02% done; ETC: 23:00 (0:16:05 remaining)
Increasing send delay for 66.35.250.177 from 40 to 80 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 80 to 160 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 160 to 320 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 320 to 640 due to 11 out of 11 dropped probes since last increase.
Increasing send delay for 66.35.250.177 from 640 to 1000 due to 11 out of 19 dropped probes since last increase.
caught SIGINT signal, cleaning up

To scan port 25
$ sudo nmap -p 25 satimis.homelinux.com
Code:
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-27 22:45 HKT
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 2.256 seconds

$ sudo nmap -P0 satimis.homelinux.com
Code:
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-11-27 22:47 HKT
Interesting ports on n058152161053.netvigator.com (58.152.161.53):
(The 1673 ports scanned but not shown below are in state: filtered)
PORT    STATE  SERVICE
113/tcp closed auth

Nmap finished: 1 IP address (1 host up) scanned in 26.911 seconds
What is "n058152161053.netvigator.com (58.152.161.53)"? netvigator.com is my ISP.

Quote:
So My suggestion is to add a DNAT rule to your firewall running at this box & leave FORWARD chain as it is.(though it is not suggestible)
What command shall I run. TIA


B.R.
satimis
 
Old 11-27-2006, 10:57 AM   #11
sal_paradise42
Member
 
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150

Rep: Reputation: 16
so, is your ADSL modem connected to a router of some kind? or is it connected to the server? Because if the server is connected directly to the modem you may not be doing NAT, then port forwarding is not needed.
 
Old 11-27-2006, 01:02 PM   #12
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by satimis
What command shall I run.
Code:
iptables -t nat -A PREROUTING -p tcp -i <eth-wan-interface> --dport 25 -j DNAT --to <serverip--to-forward>
Also set your server(to whom which are forwarding our port 25) to have gateway as firewall box.
 
Old 11-27-2006, 06:42 PM   #13
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Quote:
Originally Posted by sal_paradise42
so, is your ADSL modem connected to a router of some kind? or is it connected to the server? Because if the server is connected directly to the modem you may not be doing NAT, then port forwarding is not needed.
Hi,

The ADSL modem is connected directly to the server. It has only 2 sockets, one connected to server with a CAT5 cable and another to telephone wall socket with a telephone line.

B.R.
satimis
 
Old 11-27-2006, 06:54 PM   #14
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,428

Original Poster
Rep: Reputation: 53
Hi amitsharma_26,

Quote:
CODE]iptables -t nat -A PREROUTING -p tcp -i <eth-wan-interface> --dport 25 -j DNAT --to <serverip--to-forward>[/CODE] Also set your server(to whom which are forwarding our port 25) to have gateway as firewall box.
I'm suspecting my ISP blocking port 25. Because I sent email from it via ISP broadband to its final destination, webmail box on Yahoo.

Shall I replace;
<eth-wan-interface>
<serverip--to-forward>

with something? Or just run the command line exactly written by you on above. Tks.


B.R.
satimis
 
Old 11-27-2006, 07:34 PM   #15
sal_paradise42
Member
 
Registered: Jul 2003
Location: Utah
Distribution: Gentoo FreeBSD 5.4
Posts: 150

Rep: Reputation: 16
satimis,

amitsharma_26 assumes that you are using a Linux box that connects to your DSL modem and is acting as a router/Nat device, is this the case? if not, what kind of box do you have connected to your dsl modem, is it a netgear,lynksys or something like that?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
iptables - port forwarding midiguy732 Linux - Networking 1 11-24-2005 02:40 AM
Port forwarding in iptables gauge73 Linux - Networking 7 07-08-2005 03:22 PM
Iptables -- Port Forwarding slack_baby Linux - Networking 3 06-03-2004 03:29 PM
iptables port forwarding MadTurki Linux - Networking 6 01-05-2004 02:03 PM


All times are GMT -5. The time now is 11:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration