Re: iptables & incoming smtp

[Jeff Licquia <jeff@licquia.org>]

On Sat, 2003-03-29 at 18:28, Dan Fleischer wrote:
> I'm having trouble with our web/email server receiving SMTP port 25
> traffic when it's behind an iptables firewall.

My first recommendation: Run a local MTA on the firewall.  Put it in
dumb forward mode: all incoming mail goes to the LAN mail server and all
outgoing mail goes to the ISP's MTA.  It should be really easy to
configure at least postfix to do this.  Then redirect all port 25
connections from the outside world to the local port 25 via iptables.

I do this with my E-mail, and it works great.  You also get a slight
security advantage, as you aren't exposing your mail server's complexity
to your ISP in any way.

But if you don't want to do that...

> We are currently using a Sonicwall 3-nic firewall that I want to replace
> with iptables so that I can start to use FreeS/WAN.  Currently, the 3
> nic's have the following addresses:
> WAN port: 63.252.12.11
> LAN port: 192.168.1.1
> DMZ port: NAT not enabled, but forwards packets to web/email server
> (running Ipswitch's IMail 7.15) with address of 63.252.12.39
> 
> Currently our ISP is scanning our email for viruses and spam, and they
> send all our mail from a server with address 63.252.12.229.
> 
> I set up a 3-nic iptables box on RH7.3 kernel 2.4.18-27.7.x with the
> following addresses:
> WAN port: 63.252.12.39
> LAN port: 192.168.1.1
> DMZ port: 192.168.200.1
> 
> I DNAT incoming ports 25, 80, & 110 to the web/email server with an IP
> address of 192.168.200.2

Is there a reason you changed the web/mail server's IP in the different
configurations?

Secondary recommendation: don't change any of the IPs until you've got
functional equivalence between the Sonicwall and iptables
configurations.

But if you can't do that...

> Bringing up web pages both on the LAN and out in the WAN works, as does
> POP3 internally.  Sending email to the outside works fine as well. 
> However, we can't receive any email from the outside.
> 
> I tested incoming mail from my yahoo account through both the Sonicwall
> and iptables box.
> 
> I plugged my laptop with ethereal between the Sonicwall and the email
> server and got an ARP request broadcast originating from 63.252.12.229, 
> then a response to 63.252.212.229 followed by the TCP handshake and
> incoming SMTP packets and their replies.
> 
> When I sniffed between my iptables box and the web/email server (having
> changed it's IP address from 63.252.12.39 to 192.168.200.2 and
> determined that web browsing and POP3 were working) I got an ARP request
> broadcast originating from 192.168.200.1 (the DMZ nic) asking who has
> 192.168.200.2, sending the reply back to 192.168.200.1
> 
> This exchange is never followed by the TCP handshake, nor the SMTP
> transmission.  I also sent:
> echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp # WAN nic
> echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp # DMZ nic
> per http://www.sjdjweis.com/linux/proxyarp/rc.firewall.txt
> 
> but to no avail. 
> 
> Any suggestions?

Have you seen the HOWTOs at netfilter.samba.org?  Those might be able to
help you better than using a script.

Also, make sure you proxy arp the address you're trying to NAT.  I can't
remember if iptables takes care of that detail or not, but you should be
able to use the arp command to verify that a proxy arp entry exists.
-- 
Jeff Licquia <jeff@licquia.org>

-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.