Firewall and NAT
Neil Marjoram
n.marjoram at adastral.ucl.ac.uk
Mon Nov 1 16:13:48 UTC 2004
Can someone help me, this is driving me nuts!
I currently run sendmail on port 25, I have had a requirement to install
smtp_auth, which all works fine. However I now find out that one of my
users ISP's blocks port 25 so he can't access the mail anyway.
The answer? NAT port 10025 or what ever to port 25.
The solution?
I followed the firewall instructions and set up a rule, but it does not
seem to work, here's my iptables file, and the output from an iptables
list. Can anyone tell me what stupid mistake I have made.
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 143 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 993 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 2049 --state NEW
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j
ACCEPT
# Accept connections for webmin
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 1.2.3.0/255.255.255.0 -i eth0
--dport 10000 -j ACCEPT
# Accept SMTP_AUTH on 10025
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10025 --state NEW
-j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# SMTP_AUTH
-A PREROUTING -p tcp -m tcp -d 1.2.3.4 -i eth0:3 --dport 10025 -j DNAT
--to-destination 1.2.3.4:25
COMMIT
# Completed
NAT table :
Chain PREROUTING (policy ACCEPT 109 packets, 10385 bytes)
pkts bytes target prot opt in out source
destination
0 0 DNAT tcp -- eth0:3 any anywhere
host.mydomain.uk tcp dpt:10025 to:1.2.3.4:25
Chain POSTROUTING (policy ACCEPT 647 packets, 48457 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 647 packets, 48457 bytes)
pkts bytes target prot opt in out source
destination
Chains :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
208K 273M RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain OUTPUT (policy ACCEPT 131K packets, 29M bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
416 23160 ACCEPT all -- lo any anywhere
anywhere
18 504 ACCEPT icmp -- any any anywhere
anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere
anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere
anywhere
208K 273M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:imap
2 284 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:imaps
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:nfs
8 352 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:https
1 100 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:ssh
1 60 ACCEPT tcp -- eth0 any 1.2.3.0/24
anywhere tcp dpt:10000
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:10025
77 9053 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
Many thanks,
Neil.
--
Neil Marjoram.
Systems Manager
University College London
Adastral Park Campus
Martlesham Heath
Ipswich
Suffolk
IP5 3RL
More information about the users
mailing list