-   Linux - Security (
-   -   simple rules iptables ftp and pop/smtp (

steve_babbage 11-18-2003 07:39 PM

simple rules iptables ftp and pop/smtp
Hi all,

I am sure this is a simple one for you guys out there, but im a bit new to this stuff and need some help.

I have a permananet IP address via ADSL, and i have a small firewall just doin basic NAT and port blocking, so only 'normal' ports are allowed through, and stuff from my windoze boxes does not get out...

Anyway, I have a redhat 9 box with just an ftp server and sendmail running so people can send mail to me from th eoutside, and i can check it from within my LAN.

Is there a way i can set a simple rule set using iptables on the redhat box running ftp and sendmail, to allow just ftps to and from it, and email to and from my box.

IE i want to upload and download FTP files top the redhat box, and allow people to send me mail to land on the same said box, then me to reply to it.

I know i go on a bit. but let me know if you need more detail



Capt_Caveman 11-18-2003 10:40 PM

I'm not clear on whether the mail/FTP server on the LAN or if you're setting it up on the firewall box. I guessing that it's on an internal LAN machine. So here are a pair of rules for iptables that will forward packets to an internal mailserver:

iptables -t nat -A PREROUTING -d -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination yyy.yyy.yyy

iptables -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 25 -m state --state NEW,RELATED -j ACCEPT

To get FTP working just change the port numbers to that of the FTP ports. You'll also probably need to SNAT or MASQUERADE the internal box to let it communicate out. Since you said that your external ip (adsl) is static, use SNAT.

iptables -A POSTROUTING -s yyy.yyy.yyy.yyy -o eth0 -j SNAT --to-source

Here are all the "variables" to help you decode the above rules: = external adsl interface ip
yyy.yyy.yyy.yyy = internal mail server ip
eth0= external NIC (adsl interface)
eth1= internal NIC connecting to LAN

Just a note to give you a heads up. You managed to pick 2 of the hardest protocols to do NAT with. Both Sendmail and FTP do not like NATing very well. Make sure that you're loading the ip_conntrack.ftp module, so that iptables will follow the handoff between control and data FTP channels. For Sendmail, you'll need to use the MASQUERADE_AS feature that's in the file. Post back when you get the packet forwarding setup. There are alot of tricks you need to do in order to to get Sendmail to work like that.

steve_babbage 11-19-2003 07:24 AM

Thanks for the help. Sorry, I was not very clear in my description.

You are correct, my ftp server (WuFTP) and mail server (sendmail) are running on the same box on my internal LAN. This is my redhat box.

My default route to the nasty old internet is via a small firewall/router, that is connected to my ADSL modem. This little box also does the NATing and port forwarding to the required internal machine.

Therefore the only stuff that should be coming into my LAN (hopefully) is what the little router/firewall/NATing box is letting in.

Once past that, I want to run iptables on my ftp/mailserver box just to add some more lockdown should my little router/firewall get forced.

Does that sort of help more?
Will the rules you have provided be the ones i enter to my iptables rule set on my mail/ftp box?


Capt_Caveman 11-19-2003 08:24 AM

Actually no, I thought you were interested in rules for you firewall/gateway machine that would forward packets to the internal mailserver. So you're firewall already does forwarding of mail and FTP packets and you're just looking for rules for the internal mailserver that would open it up to accept th mail and FTP connections? To do that, you'd want something like this:

iptables -I INPUT -p tcp --dport 25 -j ACCEPT
iptables -I INPUT -p udp --dport 25 ACCEPT

Again you'd just substitute the port numbers for the FTP protocol to get that working. Enter the rules from the command line as root and the -I option will cause iptables to insert it at the top of the INPUT chain. Once you've added rules and are happy that they work, run the following command to make them persistant across reboots:

iptables-save > /etc/sysconfig/iptables

Once you've done all that, FTP should work as long as you have it configured and running normally. Getting sendmail to work will be a little more difficult, but we can walk you through that.

As for the rest of your firewall on the mailserver, you really don't need it to be that complex. Because all the traffic that hits that box from the internet will have already been filtered by the Firewall/NAT box., you don't have to worry as much about people abusing it. If you feel like getting fancy, you can set up rate limiting to keep people from pounding on the FTP/mail services.

One thing you might want to consider is writing a custom firewall script. Most of the default firewalls I've seen are pretty craptacular. It would give you alot more control over your box and it's a pretty educational excercise as well. If you're interested, there are some good tutorials at the netfilter site.

steve_babbage 11-24-2003 11:29 PM

Thanks Cpt

It worked ok. Im just tightening it up a bit just in case me desktop router/firewall gets busted.

I have another (related) issue howerver.

I can check the mail, and reply to it when i am connected via a windows laptop on my lan (on the same network as the sendmail server), but if i am remote, IE i have a different public address on my laptop for instance when in a hotel, i can log onto my mail server and check my mail, but if i hit reply, it wont send it out.

Of course all relaying is denied, but how do i set it so if i log in securely, to check my mail, the server knows its me (UN:PW) it will allow me to send mail out..

Any suggestions??

Should i VPN into the sendmail box, or a box on the lan so it thinks i am local again??, and therfore "trusts" me?

Cheers again,


Capt_Caveman 11-25-2003 04:07 PM

How are you "logging-in" to your mailserver, both locally and remotely?

steve_babbage 11-27-2003 09:06 PM

Hi capitain!!

I log in with my user name and password that i set-up using webmin in th e'users area' .
My assumption here being that each real user of the system has a mailbox.

Therefore, if i log in just from runlevel 3, (no xwindows), i just log in with my un and pw then type 'mail', and away i go.
Normally when i am physically in front of the linux(sendmail)machine.

Or i use webmin with a browser on my windows machine connected on the same private LAN.

OR if im on my win 2k machine, i may use outlook express with an account that i have set up. IE a POP3 account, ip address, as in a private address on my LAN and away i go. The only ports are 25 and 110.

I opt to leave the messages on the server when reading with outlook express.

So thats it. Im not using any special authentication.

I think if you choose this in outlook it goes to port 995?? or something. So i suppose thats what im asking. Do i use a sucure type log (once my sendmail is configured) to allow me to send mail when not on my local LAN??

i.e. the sendmail server (as an outgoing server) says "ok, this guy is not local to me, ie he is connecting via another public network, but as i know him, because he's connected securely, using port 995 (or whatever it is) i will let him use me as an outgoing server, and i know he's not just trying to relay from me"

IS this right ??
(maybe the english from my talking mailserver is not that good, but you get the drift??!!)


steve_babbage 11-27-2003 09:08 PM

BTW, to fully answer your question, when i connect remotely, ie when at work via a different public network i set up my mail client (outlook) to my mailserver as incoming and outgoing. Using port 25 and 110.

I can read my mail, no problem. but when i send, or reply to a mail message, it does not like it. I assume it thinks im trying to relay.


chort 11-28-2003 08:29 PM

You need to enable some type of SMTP authentication. Telling Outlook to use a "secure" port just tells it to use TLS (perhaps incorrectly labled "SSL"). Port 995 is what POP3 uses over TLS, port 465 is reserved for SMTP over TLS, however most MTAs will happily run an extended TLS option on port 25 (requires ESMTP). TLS is really only used for encryption, not authentication.

You either need to enable POP-before-send on your SMTP server (requires that the MTA is aware of POP authentication) or configure the MTA to use some type of authentication, such as SASL2, AUTH LOGIN, etc. Outlook will support AUTH LOGIN, but I'm not sure about any of the other types of authentication.

steve_babbage 12-04-2003 06:14 PM

Many thanks, will give it a try


All times are GMT -5. The time now is 09:55 AM.