LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Iptables forwording to M$ Exchange 2010 (https://www.linuxquestions.org/questions/linux-server-73/iptables-forwording-to-m%24-exchange-2010-a-877577/)

yon4h 04-28-2011 05:29 AM
Iptables forwording to M$ Exchange 2010
 
Hi all,

I have to configure an Iptables firewall to protect a Microsoft Exchange 2010 server.
I saw in THIS LINK that Exhange needs to have a lot of Dynamic RPC ports opened for TCP-IN.

Which configuration do I have to add to the following :


#Accepting everything from exchange to the internet
$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT

#Accepting those ports from the internet to exchange

$IPT -A FORWARD -i eth0 -p tcp --dport 465 -j ACCEPT ## SSMTP
$IPT -A FORWARD -i eth0 -p tcp --dport 993 -j ACCEPT ## IMAPS
$IPT -A FORWARD -i eth0 -p tcp --dport 585 -j ACCEPT ## IMAP4-SSL
$IPT -A FORWARD -i eth0 -p tcp --dport 995 -j ACCEPT ## SSL-POP
# $IPT -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT ## HTTP
# $IPT -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT ## HTTPS
# $IPT -A FORWARD -i eth0 -p tcp --dport 25 -j ACCEPT ## SMTP
# $IPT -A FORWARD -i eth0 -p tcp --dport 143 -j ACCEPT ## IMAP
# $IPT -A FORWARD -i eth0 -p tcp --dport 110 -j ACCEPT ## POP3

#Everything else is droped
$IPT -A FORWARD -j DROP


Thanks a lot for your answers !

stress_junkie 04-29-2011 04:57 PM
I recently put a firewall in between the Internet and an MS Exchange Server. The only port that I forwarded from the Internet to Exchange was port 25. It works fine.

yon4h 05-02-2011 10:23 AM
The problem is that my company will use all functionalities of Exchange : Send, receive mails, synchronize with Outlook, synchronize the calendar, contacts etc...

The Microsoft's page of Exchange ports to be opened says that there are a lot of dynamics ports which have to be opened and some statics ports.


http://technet.microsoft.com/en-us/l.../bb331973.aspx


Right now, I don't know how to adapt my iptable's script

Thanks a lot for your answers

spidernik84 05-03-2011 03:16 AM
I would rather go for a VPN, then. Less attack vectors, less thinkering involved.
The user sets up his/her vpn, connects and then opens Outlook/Owa or whatever without the hassle of opening a zillion of ports.
Have you got this option?

yon4h 05-03-2011 10:33 AM
I can't make a VPN in that case because some of final costumers have an iPhone and making a VPN in my case is only able by OpenVPN.

Still searching for iptables_exchange.conf

Thanks for your answers

volga629 05-05-2011 06:37 AM
Here some example.
If you have box with iptables.
eth0 ---> outside interface
eth2 ---> inside interface.
You can use some port forwarding example to open port.
Don't forget on top of iptables file OUTPUT: and PREROUTING.

Quote:

:PREROUTING ACCEPT [244:18777]
-A PREROUTING -p tcp -i eth0 -d WANoutisde --dport 25 -j DNAT --to-destination LocalIP:port
-A TCP_INPUT -s WANoutside -p tcp localport --dport -j ACCEPT
-A FORWARD -p tcp -i eth0 -d localIP --dport localip -j ACCEPT
-A OUTPUT -o eth2 -d localip -p tcp --dport localport -j ACCEPT


All times are GMT -5. The time now is 07:16 AM.