iptables - port forwarding

satimis · 11-28-2006, 04:27 AM

HI sal_paradise42,

Quote:

amitsharma_26 assumes that you are using a Linux box that connects to your DSL modem and is acting as a router/Nat device, is this the case? if not, what kind of box do you have connected to your dsl modem, is it a netgear,lynksys or something like that?

No. My server is directly connected to the ADSL modem with a CAT5 cable. The modem was supplied by ISP. I suppose the device is soley an ADSL modem without any setup. The other end of the modem is connected to a telephone wall socket with a telephone line.

I think the most important thing is to find out whether the problem on sending mails coming from the firewall or from port 25 blocked by ISP and then to fix the cause found.

On http://www.grc.com/default.htm
ShieldsUP!

Scanning found port 25 not blocked by ISP. Neither it is stealth.

However on making further test the result was on the contrary.

Further test:- (iptables stopped)

$ sudo telnet mail.netvigator.com 25

Code:

Trying 218.102.23.141...
Connected to mail.netvigator.com.
Escape character is '^]'.
220 ymail02dat.netvigator.com ESMTP server (InterMail vM.6.01.03.02 201-2131-111-104-20040324) ready Tue, 28 Nov 2006 08:00:40 +0800
421 ymail02dat.netvigator.com Lost connection to [219.79.145.108]
Connection closed by foreign host.

$ sudo telnet mail.netvigator.com 26

Code:

Trying 218.102.48.214...
(only hanging here)

$ cat /var/log/mail.info

Code:

....
Nov 28 07:30:10 ubuntu postfix/qmgr[5541]: 3D985754040: from=<root@server1.example.com>, size=559, nrcpt=1 (queue active)
Nov 28 07:30:40 ubuntu postfix/smtp[5954]: connect to server1.example.com[208.67.219.40]: Connection timed out (port 25)
Nov 28 07:30:40 ubuntu postfix/smtp[5954]: 3D985754040: to=<root@server1.example.com>, orig_to=<root>, relay=none, delay=30, status=deferred (connect to server1.example.com[208.67.219.40]: Connection timed out)
Nov 28 07:35:25 ubuntu postfix/qmgr[5541]: D50EC754060: to=<satimis@yahoo.com>, relay=none, delay=128321, status=deferred (delivery temporarily suspended: connect to h.mx.mail.yahoo.com[66.196.97.250]: Connection timed out)

$ cat /var/log/mail.log

Code:

....
Nov 28 07:30:10 ubuntu postfix/cleanup[5953]: 3D985754040: message-id=<20061127233010.3D985754040@server1.example.com>
Nov 28 07:30:10 ubuntu postfix/qmgr[5541]: 3D985754040: from=<root@server1.example.com>, size=559, nrcpt=1 (queue active)
Nov 28 07:30:40 ubuntu postfix/smtp[5954]: connect to server1.example.com[208.67.219.40]: Connection timed out (port 25)
Nov 28 07:30:40 ubuntu postfix/smtp[5954]: 3D985754040: to=<root@server1.example.com>, orig_to=<root>, relay=none, delay=30, status=deferred (connect to server1.example.com[208.67.219.40]: Connection timed out)
Nov 28 07:35:25 ubuntu postfix/qmgr[5541]: D50EC754060: to=<satimis@yahoo.com>, relay=none, delay=128321, status=deferred (delivery temporarily suspended: connect to h.mx.mail.yahoo.com[66.196.97.250]: Connection timed out)
Nov 28 07:58:12 ubuntu postfix/qmgr[5541]: 3D985754040: from=<root@server1.example.com>, size=559, nrcpt=1 (queue active)
Nov 28 07:58:43 ubuntu postfix/smtp[6052]: connect to server1.example.com[208.67.219.40]: Connection timed out (port 25)
Nov 28 07:58:43 ubuntu postfix/smtp[6052]: 3D985754040: to=<root@server1.example.com>, orig_to=<root>, relay=none, delay=1713, status=deferred (connect to server1.example.com[208.67.219.40]: Connection timed out)

mail.err and mail.warn are empty files. netvigator.com is ISP

It seems port 25 blocked by ISP.

Comment would be appreciated. TIA

B.R.
satimis

amitsharma_26 · 11-28-2006, 07:31 AM

Quote:

Originally Posted by satimis

Hi amitsharma_26,

Code:

iptables -t nat -A PREROUTING -p tcp -i <eth-wan-interface> --dport 25 -j DNAT --to <serverip--to-forward>

Also set your server(to whom which are forwarding our port 25) to have gateway as firewall box.[/CODE]

I'm suspecting my ISP blocking port 25. Because I sent email from it via ISP broadband to its final destination, webmail box on Yahoo.

Shall I replace;
<eth-wan-interface>
<serverip--to-forward>

with something? Or just run the command line exactly written by you on above. Tks.

B.R.
satimis

Yea you got to replace <eth-wan-interface> with eth0 or eth1 (whosoever is connected to wan link) & <serverip-to-forward> with the LAN ip of your server (to whom we are forwarding port 25 packets).

After doing the needfull subsitutions you got run that script(iptables command) & then check.

satimis · 11-28-2006, 07:51 AM

Hi amitsharma_26,

Tks for your advice.

Quote:

Yea you got to replace <eth-wan-interface> with eth0 or eth1

In my case, eth0

Quote:

<serverip-to-forward> with the LAN ip of your server (to whom we are forwarding port 25 packets).

The server is running dynamic IP which is changed on connection

I suppose:-

Code:

ppp0      Link encap:Point-to-Point Protocol
          inet addr:218.250.XX.XX

"218.250.XX.XX" will be the LAN ip in my case? Tks.

Others noted with tks.

B.R.
satimis

nuxrl · 11-28-2006, 08:31 AM

Quote:

$ sudo telnet mail.netvigator.com 25

Sorry, I don't understand why you did this. Is netvigator.com your domain?

satimis · 11-29-2006, 03:41 AM

Hi nuxrl,

Quote:

I don't understand why you did this. Is netvigator.com your domain?

netvigator.com is ISP

Tks.

B.R.
satimis

nuxrl · 11-29-2006, 06:31 AM

Quote:

Originally Posted by satimis

netvigator.com is ISP
s

So,

Code:

telnet netvigator.com 25

doesn't mean anything.

Of course your ISP won't block port 25 on their own domain. Otherwise, how could they provide email service for their subscribers?

Here's how your mail server works in this case.

1. you subscribe to your ISP and lease an IP (let's say it's ip1)
2. you register your own domain or map your IP to a dynamic domain, let's say it's example.com
3. your smtp server listens on ip1, port 25
4. somebody wants to send an email to you, let's say you have satimis@example.com as your email address
5. his mail client resolves dns name example.com is mapped to ip1, then, connection to ip1, port 25 is attempted.
6. if your ISP dones't block incoming traffic on port 25, ip1, he reaches your smtp server and everything is OK. Otherwise, the connection attempt will be timed out eventually.

satimis · 11-29-2006, 09:41 AM

nuxrl,

Tks for your advice.

I failed to ping satimis.homelinux.com

$ sudo ping -c 3 satimis.homelinux.com

Code:

Password:
PING satimis.homelinux.com (58.152.161.53) 56(84) bytes of data.

--- satimis.homelinux.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2012ms

I think the major problem coming from BIND and DNS files not properly configured. Postfix can't send email because BIND can't resolve the IP address. Default page of Apache2 and Webmin failed to start on browser. Previously they can. I'm now searching documents on the overall configuration of BIND and DNS.

Tks.

B.R.
satimis

satimis · 12-04-2006, 09:44 AM

Hi folks,

"satimis.homelinux.com" may have problem.

On browser running "satimis.homelinux.com"/"www.satimis.homelinux.com" can't display the homepage.

I have registered another free domain "satimis.freeddns.com"

$ sudo ping -c 3 satimis.freeddns.com

Code:

Password:
PING satimis.freeddns.com (220.246.238.244) 56(84) bytes of data.
64 bytes from n220246238244.netvigator.com (220.246.238.244): icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from n220246238244.netvigator.com (220.246.238.244): icmp_seq=2 ttl=64 time=0.033 ms
64 bytes from n220246238244.netvigator.com (220.246.238.244): icmp_seq=3 ttl=64 time=0.034 ms

--- satimis.freeddns.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2015ms
rtt min/avg/max/mdev = 0.033/0.033/0.034/0.004 ms

On browser running "satimis.freeddns.com" displayed the homepage.

Please advise what other tests I have to continue? TIA

B.R.
satimis