Iptables and mail server

ciberrust · 04-11-2006, 10:59 AM

hello, i have 1 computer that serves as a router, it has 2 nic's one that comes from the cable modem and the other to a switch, the server is a dhcp server dns and also a router, all that is ok i can bwrose on the others pc with dhcp, now... also i set up a mail server using communigate (send mails seem to be to hard for me) i'm using the trial version that puts a header to all the messages...

and i have this firewall setup
--------------------------------------------------------------------------------------------------

#!/bin/sh
#
# initialize firewall
#

echo Flushing old firewall settings
iptables -F
echo Starting firewall...

#DHCP Internet and Connection Sharing Script

# Use Ports as 22 [ssh]
# /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# /sbin/iptables -A INPUT -p tcp --dport 1400 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 555 -j DNAT --to 192.168.0.2:555
/sbin/iptables -A PREROUTING -t nat -p udp -i eth0 --dport 555 -j DNAT --to 192.168.0.2:555
/sbin/iptables -A FORWARD -p tcp --destination-port 555 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 411 -j DNAT --to 192.168.0.2:411
/sbin/iptables -A FORWARD -p tcp --destination-port 411 -j ACCEPT

#localhost 127.0.0.1 and icmp
/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A FORWARD -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

/sbin/iptables -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

#Net Sharing
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -j LOG --log-level 4 --log-prefix "ATTACK"
/sbin/iptables -A INPUT -i eth0 -j DROP
#Add your additional rule here
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

# Some output
echo Firewall loaded
iptables -L

----------------------------------------------------------------------------------------------------

Flushing old firewall settings
Starting firewall...
Firewall loaded
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost localhost
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning prefix `ATTACK'
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:555
ACCEPT tcp -- anywhere anywhere tcp dpt:411
ACCEPT all -- localhost localhost

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- localhost localhost
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED

Chain tcp_packets (0 references)
target prot opt source destination

----------------------------------------------------------------------------------------------------

now my question is... when i start the firewall i can't recevied any mail, i've tried

iptables -A INPUT -p tcp --sport 25 -j ACCEPT

and

iptables -A INPUT -p tcp --dport 25 -j ACCEPT

nogo...
so what i need is to setup a line in the firewall that allows me to send and received email, without loosing all the others functions like dhcp or nat stuff like that...

thanx in advance

gabsik · 04-11-2006, 04:42 PM

Well,i can't understand much off what you wrote , ... and what are your default input output forward policies options .Anyway i advice you for a good firewall to use a DROP politic for all chains.Then remember this:all that is not explicitally allowed has to be DROPED,and collect documentation about connection tracking.Then look:
$IPT -A INPUT DROP
$IPT -A OUTPUT DROP
$IPT -A FORWARD DROP
$IPT -t nat -A PREROUTING -p tcp -d gateway.host --dport 25 -j DNAT --to mail.server.in.lan:25
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWAD -i eth0 -o eth1 --dport 25 -d mail.server.in.lan -j ACCEPT
$IPT -A OUTPUT -m state --state NEW,RELATED,ESABLISHED
# mail.server.in.lan
$IPT -A INPUT -m state --state ESTABLISHED,RELATED
$IPT -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
What is that 555?and 1400?
For DHCP use:
$IPT -I INPUT -i eth1 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
If you have a router before linuxgateway you have to enable port 25 on the router firewall as well pointing to the linuxbox right behind it,but you have a modem usb-right?!
Anyway i'm going far with fantasy you should give more details about the configuration of your network if you use a linux box with 2eths as router and need to do nat go to my thread still on linuxquestions.org(http://www.linuxquestions.org/questi...d.php?t=432996) where there is the firewall script i'm using,enjoy deb!
GGG - napoli -

abhi.b · 04-12-2006, 03:01 PM

is ur communigate mail server behind this router / gw linux device ?

ciberrust · 04-15-2006, 10:59 PM

here it is http://www.geocities.com/charlee_peluca/fc3.gif
ok that is the setup i have...

and now the question is how do i configure iptables to get communigate to send and receive emails, and not loosing any other serivce, in other word to open the ports needed by the mail server, so i can be more protected but to received and send emails... also i need to use 1 account from outside ...

thanx again

jsosic · 04-17-2006, 05:21 AM

First of all, please make sure that mailserver works when firewall is down!

Second, I still don't understand wether your mail server is running on one of your LAN computers (connected to switch), or on the NAT/DHCP router/server machine?!

Because, that are two very different things. If it's in the LAN, then you have to forward (DNAT) port 25 to it, and if it's on your router, than basic -A INPUT -p tcp --dport 25 should do it.

I see is you DNAT 555/411, allow lo&icmp, doing MASQUERADE TWICE, and allowing related,established connections in input table. You know that if you wish to accept 25, rule must be placed BEFORE your only DROP in the script?

ciberrust · 04-20-2006, 10:45 AM

Quote:

Originally Posted by jsosic

First of all, please make sure that mailserver works when firewall is down!

Second, I still don't understand wether your mail server is running on one of your LAN computers (connected to switch), or on the NAT/DHCP router/server machine?!

Because, that are two very different things. If it's in the LAN, then you have to forward (DNAT) port 25 to it, and if it's on your router, than basic -A INPUT -p tcp --dport 25 should do it.

I see is you DNAT 555/411, allow lo&icmp, doing MASQUERADE TWICE, and allowing related,established connections in input table. You know that if you wish to accept 25, rule must be placed BEFORE your only DROP in the script?

Ok yes the mail server works, whit the firewall dow.
the mail server is running on the NAT/DHCP router/server machine