opening ports pop3, imap and https

zamri · 09-06-2005, 09:17 AM

Hi all,

I have setup a proxy server using squid. all the clients on my LAN connecto to the internet through this proxy. i can access websites (via port 80) but not imap and smtp server. my outlook client can't connect to them. I have looked through this forums for answers but to no avail. I have followed advices from this forum and others but my iptables script not working.

Code:

iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 143 -j SNAT --to xxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is my external IP for proxy server.

For the INPUT, OUTPUT and FORWARD chains, the default policy is ACCEPT. ANyone pls?

Matir · 09-06-2005, 09:42 AM

I think you need to use --to-source rather than --to for SNAT.

zamri · 09-06-2005, 09:50 AM

well it is the short form for --to-source

http://www.netfilter.org/documentati...T-HOWTO-6.html

Matir · 09-06-2005, 10:00 AM

And you want the packets to appear as if they came from the proxy?

zamri · 09-06-2005, 10:12 AM

yes. that's right. i just want the client to be able to connect to imap and smtp port of my outside servers.

sin · 09-06-2005, 10:18 AM

This is the script i use, you will need to modify the eth adapters and subnet to get it working on your system

--

#!/bin/bash

ETH_INT=eth0
ETH_EXT=eth1
INTSUBNET=192.168.1.0/24

EXTERN_IP=`ifconfig $ETH_EXT | grep inet | cut -d : -f 2 | cut -d \ -f 1`

# enable NAT sharing

modprobe ipt_MASQUERADE

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -t nat -A POSTROUTING -o $ETH_EXT -j SNAT --to $EXTERN_IP

# enable ip forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

# unlock lo
iptables -A INPUT -i lo --src localhost -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW --src $INTSUBNET -j ACCEPT

iptables -P INPUT DROP

--

you may also want to consider adding this if your using windows clients internally

--

MS_TCP="135","139","445","593"
MS_UDP="135","137","138","445"

iptables -A OUTPUT -o $EXT_ETH -p tcp -m multiport --dport $MS_TCP -j DROP
iptables -A OUTPUT -o $EXT_ETH -p udp -m multiport --dport $MS_UDP -j DROP

iptables -A INPUT -i $EXT_ETH -p tcp -m multiport --dport $MS_TCP -j DROP
iptables -A INPUT -i $EXT_ETH -p udp -m multiport --dport $MS_UDP -j DROP

--

helps stop them adding to the background noise on the inet :P

hope it helps

zamri · 09-06-2005, 11:08 AM

thanks. It is working. I just forgot to check the ip_forward. it was 0. after i set it to 1, it worked!