LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-02-2008, 12:50 PM   #1
Pistik_ke
LQ Newbie
 
Registered: Apr 2006
Posts: 2

Rep: Reputation: 0
IMAP and SMTP port redirect


Hi everyone,

I have serious problem, I have this network

LAN (10.0.0.2/24 255.0.0.0 ) ---> Linux server (debian, eth0 10.0.0.1, eth1 - 192.168.1.2, 255.255.255.0, gw 192.168.1.1, dns 192.168.1.1) <--NAT on router--> router (192.168.1.1)---> internet

In LAN, PCs are not routed through gateway, because of security, I use squid for HTTP proxy.
Now, I need configure Linux server to REDIRECT 143 port and 25 to wan.

I would like to set LAN-PCs email clients imap server as: 10.0.0.1, when email client would like to download mail, he asked 10.0.0.1:143 and 10.0.0.1 will send packets to imap.isp.com (everyone use same imap).
For smtp is the same case.

Please, advice me, how to set iptables chains on linux machine.

Thank you very much.

Last edited by Pistik_ke; 02-02-2008 at 01:02 PM. Reason: network topology edit
 
Old 02-03-2008, 01:43 AM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
A brief search of this forum will get you several posts that describe port-forwarding setup that will do what you want, though they might not actually mention your particular port numbers.

Even though your Linux server is connected between two Private Internets, the scheme is pretty simple:
1. When SMTP or IMAP packets arrive from the 10.0.0.x network, you need to tell the Linux machine to send them onto the 192.168.1.x subnet, even though that machine does not normally allow traffic between those two networks. To do this, you need port-forwarding specified in iptables, thus:
Code:
 #iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1  --dport 25 -j DNAT --to-destination 192.168.1.1:25
 #iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1  --dport 143 -j DNAT --to-destination 192.168.1.1:143
This tells the boundary machine what to do with this traffic. Then, if your other rules prevent forwarding between the two sides of this boundary machine (the normal case), you need to permit these packets to be forwarded:
Code:
 #iptables -A FORWARD -p tcp -m multiport --dports 25,143 -j ACCEPT
Finally, you may need to turn IP forwarding on the boundary machine. I am not sure exactly how you make that permanent on a Debian machine, but I am certain that Google will tell you: you need to set a kernel flag thus:
Code:
 # echo 1 > /proc/sys/net/ipv4/ip_forward
If this value is 0, no forwarding will occur, regardless of how many rules you put into the iptables FORWARD chain.

HTH
 
Old 02-03-2008, 05:56 AM   #3
Pistik_ke
LQ Newbie
 
Registered: Apr 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you very much, but I did not be sure that prerouting and port forwarding were vice choice.

I will try this solution ASAP.

About debian ip_forward http://documents.made-it.com/Debian_...Server-13.html.
 
Old 02-03-2008, 02:16 PM   #4
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
I must apologize for providing only a partial recommendation for your problem; it was late at night when I wrote my previous post, and I have thought about your problem some more. My initial recommendation will not make your SMTP and IMAP connections work, because it enables the communication path in one direction. But a complete TCP connection requires bi-directional communication. Unfortunately, the outbound port-forwarding I recommended in my last post takes packets from many sources (on the 10.x.x.x network) and makes them all appear on the 192.168.1.x side to have come from a single address. As a result, when a return packet arrives at the boundary machine between these two networks, it cannot properly forward the reply to the correct originator.

Happily, there is a better solution, if the connections all originate on the 10.x.x.x network. (I guess that this must be the situation, since you have two distinct Private Networks, and a shared connection to the public Internet only from the 192.168.1.x side.) The solution is to use the masquerade facility of iptables, which is designed to keep track of the many-to-one mapping that occurs on the boundary machine. Using this facility, the originating packet (from a 10.x.x.x address) is transformed into one that appears to originate on the boundary machine, and is forwarded onto the 192.168.1.x network. In the process, the boundary machine records information about the outbound packet, so that when a reply arrives (addressed to 192.168.1.2) that reply packet can be re-edited so that it can travel onward over the 10.x.x.x network to its correct destination.

The rules to make this happen are
Code:
 # iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/255.0.0.0 --sport  25 -j SNAT --to-source 192.168.1.2
 # iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/255.0.0.0 --sport 143 -j SNAT --to-source 192.168.1.2
In this situation, you do not need to make any special entry in the FORWARD chain; the SNAT processing bypasses that set of rules. But you do still need to make sure that the kernel setting of /proc/sys/net/ipv4/ip_forward is correct.

Good luck.
 
  


Reply

Tags
imap, smtp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
redirect SMTP from main IP to secondary izghitu Linux - Networking 7 08-08-2007 11:04 PM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 01:59 AM
Redirect SMTP Requests ALInux Linux - Networking 2 08-03-2006 08:41 AM
Outside FTP Port 21 redirect to different port inside LAN??? hendrixx Linux - Security 5 06-05-2004 07:42 PM
Change / Redirect SMTP Port Kernel_Sanders Red Hat 0 11-13-2003 09:42 AM


All times are GMT -5. The time now is 03:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration