IMAP and SMTP port redirect
Hi everyone,
I have serious problem, I have this network LAN (10.0.0.2/24 255.0.0.0 ) ---> Linux server (debian, eth0 10.0.0.1, eth1 - 192.168.1.2, 255.255.255.0, gw 192.168.1.1, dns 192.168.1.1) <--NAT on router--> router (192.168.1.1)---> internet In LAN, PCs are not routed through gateway, because of security, I use squid for HTTP proxy. Now, I need configure Linux server to REDIRECT 143 port and 25 to wan. I would like to set LAN-PCs email clients imap server as: 10.0.0.1, when email client would like to download mail, he asked 10.0.0.1:143 and 10.0.0.1 will send packets to imap.isp.com (everyone use same imap). For smtp is the same case. Please, advice me, how to set iptables chains on linux machine. Thank you very much. |
A brief search of this forum will get you several posts that describe port-forwarding setup that will do what you want, though they might not actually mention your particular port numbers.
Even though your Linux server is connected between two Private Internets, the scheme is pretty simple: 1. When SMTP or IMAP packets arrive from the 10.0.0.x network, you need to tell the Linux machine to send them onto the 192.168.1.x subnet, even though that machine does not normally allow traffic between those two networks. To do this, you need port-forwarding specified in iptables, thus: Code:
#iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 25 -j DNAT --to-destination 192.168.1.1:25 Code:
#iptables -A FORWARD -p tcp -m multiport --dports 25,143 -j ACCEPT Code:
# echo 1 > /proc/sys/net/ipv4/ip_forward HTH |
Thank you very much, but I did not be sure that prerouting and port forwarding were vice choice.
I will try this solution ASAP. About debian ip_forward http://documents.made-it.com/Debian_...Server-13.html. |
I must apologize for providing only a partial recommendation for your problem; it was late at night when I wrote my previous post, and I have thought about your problem some more. My initial recommendation will not make your SMTP and IMAP connections work, because it enables the communication path in one direction. But a complete TCP connection requires bi-directional communication. Unfortunately, the outbound port-forwarding I recommended in my last post takes packets from many sources (on the 10.x.x.x network) and makes them all appear on the 192.168.1.x side to have come from a single address. As a result, when a return packet arrives at the boundary machine between these two networks, it cannot properly forward the reply to the correct originator.
Happily, there is a better solution, if the connections all originate on the 10.x.x.x network. (I guess that this must be the situation, since you have two distinct Private Networks, and a shared connection to the public Internet only from the 192.168.1.x side.) The solution is to use the masquerade facility of iptables, which is designed to keep track of the many-to-one mapping that occurs on the boundary machine. Using this facility, the originating packet (from a 10.x.x.x address) is transformed into one that appears to originate on the boundary machine, and is forwarded onto the 192.168.1.x network. In the process, the boundary machine records information about the outbound packet, so that when a reply arrives (addressed to 192.168.1.2) that reply packet can be re-edited so that it can travel onward over the 10.x.x.x network to its correct destination. The rules to make this happen are Code:
# iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/255.0.0.0 --sport 25 -j SNAT --to-source 192.168.1.2 Good luck. |
All times are GMT -5. The time now is 08:21 PM. |