Iptables forwording to M$ Exchange 2010

yon4h · 04-28-2011, 05:29 AM

Hi all,

I have to configure an Iptables firewall to protect a Microsoft Exchange 2010 server.
I saw in THIS LINK that Exhange needs to have a lot of Dynamic RPC ports opened for TCP-IN.

Which configuration do I have to add to the following :

#Accepting everything from exchange to the internet
$IPT -A FORWARD -i eth1 -o eth0 -j ACCEPT

#Accepting those ports from the internet to exchange

$IPT -A FORWARD -i eth0 -p tcp --dport 465 -j ACCEPT ## SSMTP
$IPT -A FORWARD -i eth0 -p tcp --dport 993 -j ACCEPT ## IMAPS
$IPT -A FORWARD -i eth0 -p tcp --dport 585 -j ACCEPT ## IMAP4-SSL
$IPT -A FORWARD -i eth0 -p tcp --dport 995 -j ACCEPT ## SSL-POP
# $IPT -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT ## HTTP
# $IPT -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT ## HTTPS
# $IPT -A FORWARD -i eth0 -p tcp --dport 25 -j ACCEPT ## SMTP
# $IPT -A FORWARD -i eth0 -p tcp --dport 143 -j ACCEPT ## IMAP
# $IPT -A FORWARD -i eth0 -p tcp --dport 110 -j ACCEPT ## POP3

#Everything else is droped
$IPT -A FORWARD -j DROP

Thanks a lot for your answers !

stress_junkie · 04-29-2011, 04:57 PM

I recently put a firewall in between the Internet and an MS Exchange Server. The only port that I forwarded from the Internet to Exchange was port 25. It works fine.

yon4h · 05-02-2011, 10:23 AM

The problem is that my company will use all functionalities of Exchange : Send, receive mails, synchronize with Outlook, synchronize the calendar, contacts etc...

The Microsoft's page of Exchange ports to be opened says that there are a lot of dynamics ports which have to be opened and some statics ports.

http://technet.microsoft.com/en-us/l.../bb331973.aspx

Right now, I don't know how to adapt my iptable's script

Thanks a lot for your answers

spidernik84 · 05-03-2011, 03:16 AM

I would rather go for a VPN, then. Less attack vectors, less thinkering involved.
The user sets up his/her vpn, connects and then opens Outlook/Owa or whatever without the hassle of opening a zillion of ports.
Have you got this option?

yon4h · 05-03-2011, 10:33 AM

I can't make a VPN in that case because some of final costumers have an iPhone and making a VPN in my case is only able by OpenVPN.

Still searching for iptables_exchange.conf

Thanks for your answers

volga629 · 05-05-2011, 06:37 AM

Here some example.
If you have box with iptables.
eth0 ---> outside interface
eth2 ---> inside interface.
You can use some port forwarding example to open port.
Don't forget on top of iptables file OUTPUT: and PREROUTING.

Quote:

:PREROUTING ACCEPT [244:18777]
-A PREROUTING -p tcp -i eth0 -d WANoutisde --dport 25 -j DNAT --to-destination LocalIP

ort
-A TCP_INPUT -s WANoutside -p tcp localport --dport -j ACCEPT
-A FORWARD -p tcp -i eth0 -d localIP --dport localip -j ACCEPT
-A OUTPUT -o eth2 -d localip -p tcp --dport localport -j ACCEPT