LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-19-2005, 11:41 PM   #1
jefmwols
LQ Newbie
 
Registered: May 2005
Posts: 6

Rep: Reputation: 0
iptables port forwarding


I have read through the other threads pertaining to ip tables and port forwarding, but I have not been able to figure out what I need to do. I also read the thread about using iptables to forward port 25 internally for send mail purposes, but I don't know enough to be able to follow it.

Some threads say to add some code, but I don't even know to what files I would add such code.


My isp blocks port 25 to prevent spamming. Unfortunately, enough spamming occurs from my isps SMTP that mail servers such as yahoo block it as a possible open relay. I need to use an arbitrary port to get my mail to my server and then route that port to port 25 on my server so that sendmail can send my mail.

I would like to accomplish this using iptables, but I don't know where to start.

If it is possible to make sendmail listen on a different port without recompiling it, I suppose that would be a viable alternative to my problem.

Thanks
 
Old 05-20-2005, 04:01 AM   #2
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

what you're speaking of is called port redirection.
this is done like this (say you use port 1389 to get your mail to your server) :
iptables -t nat -A PREROUTING -d $PUBLIC_IP --p tcp --dport 1389 --to-destination $PRIVATE_IP:25

which means :
In the NAT table (Network address translation),
every packet going to your public IP (the one your ISP gave you) using protocol TCP and aiming at port 1389
is to be translated so that its destination's IP is changed to $PRIVATE_IP and the destination port 25.

Is this what you were after ? If not, then re-explain your problem
 
Old 05-20-2005, 10:42 AM   #3
jefmwols
LQ Newbie
 
Registered: May 2005
Posts: 6

Original Poster
Rep: Reputation: 0
That may be what I need, except that I do not have a NAT network. The only ip's on my server are public ones, 8 public ips on 1 NIC. I guess that means I need to use a table other than nat.

I need to redirect this port to port 25 on the same machine.

When I type this at the command prompt putting my ip in place of your ip variables, I get the message
Quote:
unknown arg '--to-destination'

Any ideas?

Thanks

Last edited by jefmwols; 05-20-2005 at 10:55 AM.
 
Old 05-20-2005, 12:19 PM   #4
fuzzyash
Member
 
Registered: Aug 2003
Location: Melbourne Australia
Distribution: Fedora Core 4
Posts: 184

Rep: Reputation: 30
To start with, the port that sendmail listens on can be changed by editing the file /etc/mail/sendmail.cf Find the line that looks something like this:

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

(in my file it was on line 265) & change "Port=smtp" to any port you want. For example, to use port 2020, change to:

O DaemonPortOptions=Port=2020,Addr=127.0.0.1, Name=MTA

Even if this works, I would like to try & help you to implement port forwarding because I am curious as to what is going on with your setup, also because sendmail sucks! I would urge you to forget about sendmail & use qmail. Sendmail has many security holes, is difficult to configure, doesn't do things easily, etc. Qmail on the other hand is the most secure mail delivery system there is, it's far easier to configure, does everything you'll ever need & more, but most of all, http://www.qmailrocks.org/ will make you an expert in no time.

Anyway, back to the NAT problem...
The NAT table should suit your needs but you need a bit more config than just 1 line.
First, we'll need some more info about your setup:

What are the 8 public IP's on your NIC for? & why havent you got any internal, private IP's?
You call the computer you are trying to achieve this on your "server", I take it this means that you have at least 1 other PC that you are trying send mail from to your server & then forward that mail to whomever it is addressed to. Is this correct?
How is the PC you are trying to send mail from connected to your server?
You say, "I need to use an arbitrary port to get my mail to my server and then route that port to port 25 on my server so that sendmail can send my mail" This sounds strange. If you are connecting to your server via a LAN, then you should have no problems connecting to port 25 on your server, & if your ISP is blocking port 25 then even if you do use an arbitrary port to get your mail to your server & then route that port to port 25, you won't be able to send the mail because it will be blocked by your ISP. Perhaps you have this backwards?
You say your ISP blocks port 25, does this mean that your ISP does not give you an email account & thats why your trying to setup your own SMTP server?

One last thing, at a command prompt, type:

/sbin/iptables -L; /sbin/iptables -t nat -L; /sbin/iptables -t mangle -L

& post results. This is important & will help a lot. It will display your firewall config & might show up an error.
 
Old 05-20-2005, 01:49 PM   #5
jefmwols
LQ Newbie
 
Registered: May 2005
Posts: 6

Original Poster
Rep: Reputation: 0
I was able to change the port that sendmail listens to. Unfortunately, this stops sendmail from listening on port 25 which causes my alias-forwarding to stop working. Perhaps sendmail can listen on 2 port simultaneousley?

I would like to switch to qmail, but sendmail is tied-in to my ensim control panel which my hosting customers use. I suppose I could leave sendmail on port 25 and add qmail just for the purpose of listening for me on some other port.

Here's the output you ask for:

Code:
[root@ensim root]# /sbin/iptables -L; /sbin/iptables -t nat -L; /sbin/iptables -t mangle -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
[root@ensim root]#


My server is a few hundred miles away, so I connect to it using the internet. I host several domains on this server including some from which I send email. My isp blocks port 25 forcing its customers to use the isp smtp server. This is an anti-spam attempt by the isp. Unfortunately, their smtp server has many problems which sometimes keep me from sending mail to my customers. This is why I want to use MY smtp server on my web-server.

I suppose that my web-server may not even have a NAT table since all of its ips are public. The miltiple ips are so that I can have multiple domains with ssl certs.

Does this clear things up at all?


Last edited by jefmwols; 05-20-2005 at 01:53 PM.
 
Old 05-20-2005, 03:46 PM   #6
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
I think I don't undertsnad very well. Is it what you mean?

You want to bea ble to use your SMTP server which is reachable through internet... but yo9u can't use port 25 from your client (throught internet) cause the ISP will block port 25 requests to your server... yet port 25 is where your server is waiting for requests?

In that case I think you can use port forward. Let's suppose that your server will listen to SMTP connections through port 1000, and it will forward them to port 25... so that it looks like the smtp service is at port 1000... when it's actually in port 25.

Code:
iptables -t nat -A PREROUTING -d myip -p tcp --dport 1000 -j  REDIRECT --to-port 25
Repeat that for udp.

I guess that would do.
 
1 members found this post helpful.
Old 05-20-2005, 04:29 PM   #7
jefmwols
LQ Newbie
 
Registered: May 2005
Posts: 6

Original Poster
Rep: Reputation: 0
Talking

That's perfect! Thanks so much.

Is there a way to put this into a file so that is will be in effect when I restart my machine?


What is a good way to learn about how to use all of the basic features of iptables?

Last edited by jefmwols; 05-20-2005 at 04:31 PM.
 
Old 05-20-2005, 04:58 PM   #8
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
in a red-hat based distribution, rc.local is the place.
 
Old 05-20-2005, 05:03 PM   #9
eantoranz
Senior Member
 
Registered: Apr 2003
Location: Costa Rica
Distribution: Kubuntu, Debian, Knoppix
Posts: 2,092
Blog Entries: 1

Rep: Reputation: 90
About learning iptables.... I personally learned a lot without breaking my head reading Oskar Andreasson's tutorial:
http://iptables-tutorial.frozentux.net/

And find the standard stuff at www.netfilter.org.
 
Old 05-20-2005, 05:08 PM   #10
jefmwols
LQ Newbie
 
Registered: May 2005
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for you help and patience.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 11:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
port forwarding with iptables kkennedy Linux - Networking 1 09-01-2005 07:48 PM
Iptables -- Port Forwarding slack_baby Linux - Networking 3 06-03-2004 03:29 PM
IPTABLES #Port Forwarding goldenmag Linux - Security 4 11-21-2003 08:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration