A few days ago, I created a topic -
https://www.linuxquestions.org/quest...ns-4175717560/ which you can review if you want the whole background. I am creating a new topic as I think the issue is related to Postrouting etc and nothing to do with Established/Related packets timing out.
I think that I am not understanding how Prerouting, Postrouting and Forwarding Rules work for my intended use, which is an Internal Mail Server behind a Linux firewall.
Here is what I have setup
Code:
#!/bin/bash
# Mail Server Firewall
# Policy Rules
# Ipv4 traffic
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Ipv6 traffic
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP
# Established and Related Rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop Invalid, Malformed and Port Scan Traffic
# Invalid Packets
iptables -A INPUT -p ALL -m state --state INVALID -j DROP
iptables -A OUTPUT -p ALL -m state --state INVALID -j DROP
iptables -A FORWARD -p ALL -m state --state INVALID -j DROP
# Packets in state new that are not syn
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Port Scans by Flag
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# NAT Rules (Prerouting, Postrouting and Output Chains)
# Allows Internal Lan Traffic to be Routed to Internet
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to Internet IP Address
# Filter Rules (Input, Output and Forward Chains)
# Mail Server Services
# TCP Port 25 Mail Server to Mail Server
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to Internal Mail Server IP Address
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
# TCP Port 443 Internet Access from Internal Lan and Mdaemon Webmail
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to Internal Mail Server IP Address
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT
... and so on for ports 465, 993, 587 - rules as above.
# Logging
# Log IPv4 Dropped Traffic
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
eth0 is the Internet IP Address of the firewall
eth1 is the Internal Lan IP Address of the firewall
Postrouting eth0 or eth1?
Some Internet Posts showing examples of postrouting have eth0 (Internet IP Address) for Postrouting (as in my example). Other websites seem to have POSTROUTING -o eth1 (Internal IP Address). I can't see any reason why some websites have the external IP address for Post Routing and others have the Internal IP Address for Postrouting as otherwise the code and purpose seems to be identical. Which is correct?
Order of Prerouting, Postrouting and Forwarding Rules
Another thing that I have picked up is the order of my rules. I have postrouting, then prerouting then forwarding. I don't know if it makes any difference as my understanding is that the prerouting and forwarding rule allows port 25/443 traffic from the Internet and redirects it to the Mail Server. Then the Postrouting rule only comes into effect when the Mail Server wants to send a reply back to the original requester and makes it appear as if the source IP is the external Internet facing IP address. So I don't think the order matters too much as the prerouting/forwarding is for incoming traffic and the postrouting is for outgoing reply traffic?
The problem that I am experiencing
Nearly everything is working (with no errors) with the current firewall rules design. People can logon to the Webmail, Outlook Imap and SMTP works, our mail server is sending emails to other mail servers and receiving emails from other mail servers. Apart from attempted hacks, logins and port scans which every Internet facing server experiences, I have zero legitimate dropped connections in the log file for ports 25, 465, 587 and so on. I am however seeing a fair number of dropped connections for Source Port 443 going from the Mail Server back to Activesync clients with the flags ACK, PSH.
In my other topic, I was working on the assumption that the problem was an expired connection or timeout problem between Mail Server and Activesync clients. But if this was the case, then my rule to drop Invalid Packets should in theory have dropped these connections and not logged them in the firewall log file. Any explicit drop rules in the firewall are not logged in the log table.
So it would seem that the packets are part of an established/Related connection that is still open! As I have allow all established/related rule at the top of my firewall rule, in theory, this should allow the packet through. But it's not. I think the reason may be something to do with my postrouting, NAT, Forwarding etc rules. The exact error is this:
Quote:
Oct 10 17:40:12 Darkstar kernel: IPTables-Dropped: IN=eth1 OUT=eth0 SRC=(Mail Server Internal IP Address) DST=(End Client IP Address) LEN=71 TOS=0x00 PREC=0x00 TTL=127 ID=49917 DF PROTO=TCP SPT=443 DPT=58532 WINDOW=256 RES=0x00 ACK PSH URGP=0
|
Bear in mind that the problem may be nothing to do with Postrouting because everything else like ports 25, 587 etc all work without any errors. So I don't really know if I am on the right track here.