mail server behind linux box

antken · 11-15-2002, 06:29 AM

hi,

due to the recent spate of attacks on one of our mail servers i would like to protect it a bit more, by putting it behind a linux box.

i have iptables installed with mandrake 8.2
is it possible to send all connections from smtp and pop ports through the linux box and make them end up on the mail server?

so:
{internet} <------> [linux box] <---------> [mail server]

the internet is connected to the linux box via interface eth1
and the mail server runs on eth0 allong with some other stuff

is this possible? if so is there a howto?
or if possible please could some one tell me what should be added to iptables

?

thanks

jrmann1999 · 11-15-2002, 12:06 PM

iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to ip.of.mailserver.here:25
iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to ip.of.mailserver.here:110

Use those two lines on your linux box and it should work, you have just specified that you want to forward port 25(and 110) to the address specified, DNAT rewrites the request so it looks like it's coming from the linux box...then rewrites it when the reply comes back...

antken · 11-15-2002, 01:30 PM

thanks for that,

i presume if i set the mail server to talk to the linux box as a gateway people will be able to connect to the mail server and send mail to the out side world

unfortunatly i had to make a switch from ipchains to iptables and i am still getting to grips with it

jrmann1999 · 11-15-2002, 02:46 PM

There's a few more issues w/ getting NAT working, but that was the gist of forwarding. If you search for iptables and nat on google you'll find how to setup the box to talk from behind the firewall. You can do this in other ways to block IP's, but they become complex.

antken · 11-15-2002, 06:06 PM

i also presume the first part of the command: iptables -t nat ...

is like the mount command, you are telling to load the nat module for this rule?

i have been searching google for iptables and nat and most of the results are for firewall sample scripts i have only found so far one how-to but i think i am picking it up now!!

thanks

antken · 11-16-2002, 06:35 PM

i have added the port forwarding into my iptables and it seems to be working

i started to wonder if it was not working when i tried to access the mail server
from the linux box its self but it works from outside the box ( on the net )

i have noticed when i filter out other ports, for example port 21, nmap reports the ports as being filtered

how could i close the port completely using iptables so it does not show what so ever on an nmap scan?

Pcghost · 02-18-2003, 02:07 PM

I would start by setting the default policies to DROP. That should prevent all ports not explicitly opened to show as stealthed on a GRC scan, or non-existent on other scans..