SMTP and POP Port Forwarding

mudasir · Post by **mudasir** » Fri Nov 28, 2008 1:04 pm

AOA,

I am trying to do Port Forwarding for POP and SMTP. My senario is as follows

INTERNET-- >(eth1 -- real ip)FIREWALL(eth0 -- class C)-- >MAIL SERVER

Mail Server is not on Linux its using Windows XP.

Mail Server is also on Class C IP. I am trying to do Port Forwarding for port 25 and 110, but unable to achieve it. I am using follwing IPTABLES rule to do so

Code: Select all

NETWORK=eth0
INTERNET=eth1
REAL_IP=xx.xx.xx.xx
MAIL_SERVER=xx.xx.xx.xx

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 25 -j DNAT --to-destination $MAIL_SERVER:25
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 110 -j DNAT --to-destination $MAIL_SERVER:110

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT

iptables -t nat -A POSTROUTING -o $INTERNET -p tcp --dport 25 -j SNAT --to-source $REAL_IP
iptables -t nat -A POSTROUTING -o $INTERNET -p tcp --dport 110 -j SNAT --to-source $REAL_IP

These rules are not working however when i try to do Port Forwarding for other ports like VNC or HTTP in similar manner

Code: Select all

iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j DNAT --to-destination $MAIL_SERVER:80
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 5900 -j DNAT --to-destination $MAIL_SERVER:5900

These Rules work perfect.

I think there might be something that i am missing or doing wrong. Please help me out in this.

Looking forward for a positive reply.

Manners Taliban · Post by **lambda** » Fri Nov 28, 2008 2:16 pm

have you used tcpdump, or anything similar, to see where your traffic is ending up, or being dropped?

mudasir · Post by **mudasir** » Fri Nov 28, 2008 2:47 pm

AOA,

I used tcpdump, it showed that traffic is going to the specified IP.

The thing is this if i send mail from hotmail or gamil or any other to my MAIL SERVER i am able to recieve it on my MAIL SERVER, however when i send mails from my MAIL SERVER i dont recieve them at the other end.

eternal peace · Post by **eternal peace** » Mon Dec 01, 2008 12:18 am

can you telnet any remote SMTP server on port 25 from your mail server?

mudasir · Post by **mudasir** » Mon Dec 01, 2008 12:34 am

AOA,

I have no access to the mail server at all. I am able to telnet the mail server on port 25 and also on port 110.

When i user router for port forwarding it is working fine, the problem comes when i try to do PORT FORWRDING from linux, this means that there is nothing wrong with the mail server, there is something i am missing or doing wrong for PORT FORWARDING.

eternal peace · Post by **eternal peace** » Mon Dec 01, 2008 8:13 pm

what i meant was wether ur firewall is not blocking outgoing SMTP connections as u can receive mails but not able to send mails using your mail server.

if you can telnet to any outside SMTP server on port 25 then it means outgoing SMTP is working through ur firewall, if telnet fails then ur firewall is blocking outgoing SMTP requests and u'll have to chk ur firewall rules.

syedbilalmasaud · Post by **syedbilalmasaud** » Sun Dec 07, 2008 2:07 pm

Muddasir,

I go through with same problem and i fixed it by iptables modules so have a look in to your lsmod | grep ip output
you should have these modules
ipt_MASQUERADE 3712 1
ipt_REDIRECT 2176 1
iptable_nat 7044 1
ip_nat 16876 3 ipt_MASQUERADE,ipt_REDIRECT,iptable_nat
ip_conntrack 49088 4 ipt_MASQUERADE,iptable_nat,ip_nat,xt_state
nfnetlink 6680 2 ip_nat,ip_conntrack
xt_multiport 3264 2
iptable_filter 3104 1
ipt_TCPMSS 4096 1
iptable_mangle 2880 1
ip_tables 13028 3 iptable_nat,iptable_filter,iptable_mangle
x_tables 13316 9 ipt_MASQUERADE,ipt_REDIRECT,iptable_nat,xt_state,xt_multiport,ipt_TCPMSS,xt_tcpmss,xt_tcpudp,ip_tables

Hope this helps

Manners Taliban · Post by **lambda** » Sun Dec 07, 2008 4:32 pm

Hope this helps

iptables loads the required modules automatically; your list of modules is not going to help anyone with anything. you're posting about the symptoms of the solution rather than the actual solution. after all, loading the modules won't solve the problem.

The thing is this if i send mail from hotmail or gamil or any other to my MAIL SERVER i am able to recieve it on my MAIL SERVER, however when i send mails from my MAIL SERVER i dont recieve them at the other end.

what do the mail server's logs say? what exactly does tcpdump show when you send mail from the mail server?

mudasir · Post by **mudasir** » Tue Dec 09, 2008 5:45 am

AOA,

Sorry for the late reply.

My complete iptables script initially loads all the required modules, which include many of the modules listed.

The problem is not about IPTABLES, i know my rules are correct, still dont know why its not working.

The mail server is a pre-configured IBM Server using DOMINO. I dont have any access to the server, cant even open it.

I will try something new after eid then will let you all know whether it worked or not.

Manners Taliban · Post by **lambda** » Tue Dec 09, 2008 11:22 am

send mail from the server while running tcpdump to watch the packets on the internal interface.

mudasir · Post by **mudasir** » Tue Dec 09, 2008 4:47 pm

AOA,

I will post the results here by friday night.

syedbilalmasaud · Post by **syedbilalmasaud** » Sun Feb 08, 2009 5:34 pm

Muddusir ,

you are making mistake here in your scenario , actually in last post i did not get you correctly , here is example of your scenario , i did it and it is working with ms exchange 2007

Internet ===> pppoE ==> Linux Box (Debian) public IP ==> port 25 ==> forwarded to Windows 2003 Server Machine

here are rules

-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination $ex-ip:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 587 -j DNAT --to-destination $ex-ip:587
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 110 -j DNAT --to-destination $ex-ip:110
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 143 -j DNAT --to-destination $ex-ip:143
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 443 -j DNAT --to-destination $ex-ip:443
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -s $ex-ip -o ppp0 -p tcp -m tcp --dport 25 -j SNAT --to-source $public-ip
-A POSTROUTING -s $ex-ip -o ppp0 -p tcp -m tcp --dport 110 -j SNAT --to-source $public-ip
-A POSTROUTING -s $ex-ip -o ppp0 -p tcp -m tcp --dport 143 -j SNAT --to-source $public-ip
-A POSTROUTING -s $ex-ip -o ppp0 -p tcp -m tcp --dport 443 -j SNAT --to-source $public-ip

try to understand this example , it will solve your problem , because its working example

you must enable ip forwading and have to created established related rules in forward chain to make it work for port communication , and allow ppp0 forwarding for ethx

All the best,
Bilal