Hi,
I currently have a firewall running on 6.8 that only allows smtp communication from our LAN exchange server (10.1.5.32) to our mail host (Fuse Mail IP range), and from Fuse Mail to the Exchange server.
The working rules on 6.8:
The rules created on the 7.2 system (changed eth5 to ens160):
I don't seem to be able to receive mail, so it is like the rules aren't working - has the syntax changed more than just the LAN ethernet name (it looks like the ppp0 has the same name).
I tried specifying our our external IP using the below, but didn't make a difference:
any guidance would be much appreciated.
Thanks
I currently have a firewall running on 6.8 that only allows smtp communication from our LAN exchange server (10.1.5.32) to our mail host (Fuse Mail IP range), and from Fuse Mail to the Exchange server.
The working rules on 6.8:
Rule Name Rule
================================================================================================================================================================================
Deny SMTP iptables -I FORWARD -i eth5 -p tcp --dport 25 -j DROP
Allow SMTP from defined IPs iptables -I FORWARD -i eth5 -s 10.1.5.32 -p tcp --dport 25 -j ACCEPT
FM1 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 192.162.216.0/22 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM2 iptables -A FORWARD -p tcp -s 192.162.216.0/22 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED –j ACCEPT
FM3 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 208.70.128.0/21 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM4 iptables -A FORWARD -p tcp -s 208.70.128.0/21 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
FM5 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.12.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM6 iptables -A FORWARD -p tcp -s 72.35.12.0/24 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
FM7 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.23.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM8 iptables -A FORWARD -p tcp -s 72.35.23.0/24 -d 10.1.5.23 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
The rules created on the 7.2 system (changed eth5 to ens160):
Rule Name Rule
================================================================================================================================================================================
Deny SMTP iptables -I FORWARD -i ens160 -p tcp --dport 25 -j DROP
Allow SMTP from defined IPs iptables -I FORWARD -i ens160 -s 10.1.5.32 -p tcp --dport 25 -j ACCEPT
FM1 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 192.162.216.0/22 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM2 iptables -A FORWARD -p tcp -s 192.162.216.0/22 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED –j ACCEPT
FM3 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 208.70.128.0/21 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM4 iptables -A FORWARD -p tcp -s 208.70.128.0/21 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
FM5 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.12.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM6 iptables -A FORWARD -p tcp -s 72.35.12.0/24 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
FM7 iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.23.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM8 iptables -A FORWARD -p tcp -s 72.35.23.0/24 -d 10.1.5.23 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I don't seem to be able to receive mail, so it is like the rules aren't working - has the syntax changed more than just the LAN ethernet name (it looks like the ppp0 has the same name).
I tried specifying our our external IP using the below, but didn't make a difference:
FM1 iptables -t nat -A PREROUTING -p tcp -s 82.68.112.126/24 -s 192.162.216.0/22 --dport 25 -j DNAT --to-destination 10.1.5.32:25
FM2 iptables -A FORWARD -p tcp -s 192.162.216.0/22 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED –j ACCEPT
any guidance would be much appreciated.
Thanks
Share this post:
Accepted Answer
My bad on the 192.162.216.0/22 range. At first glance I thought it was the 192.168.x.y private range.
The rule you are missing, and you need it only once, is:
In theory you can combine IP addresses in iptables by separating them by commas. That would reduce your port forwarding rules to three, plus your two outbound rules. I have not tried it.
[edit]
... and thinking about it, there is no need to use the -s on both the PREROUTING and FORWARD rules. If you do it on the PREROUTING, the the traffic is already filtered to just those IP ranges. Your FORWARD rules have "-d 10.1.5.32", so will never operate on direct traffic from the internet as people on the internet cannot send packets directly to 10.1.5.32.
[/edit]
The rule you are missing, and you need it only once, is:
iptables -I POSTROUTING -t nat -s your_LAN_subnet -d 10.1.5.32 -p tcp --dport 25 -j SNAT --to-source your_LAN_interface_IP
I can never get my head round this rule and I am not totally sure why it is needed. I can see it can get round Micro$oft firewalling issues when the firewall only allows traffic from other LAN devices, but otherwise I am not sure of its purpose. Remember also to change "iptables" to "$IPTABLES" when you've tested it.In theory you can combine IP addresses in iptables by separating them by commas. That would reduce your port forwarding rules to three, plus your two outbound rules. I have not tried it.
[edit]
... and thinking about it, there is no need to use the -s on both the PREROUTING and FORWARD rules. If you do it on the PREROUTING, the the traffic is already filtered to just those IP ranges. Your FORWARD rules have "-d 10.1.5.32", so will never operate on direct traffic from the internet as people on the internet cannot send packets directly to 10.1.5.32.
[/edit]
Responses (5)
-
Accepted Answer
-
Accepted Answer
Hi all,
Just wanted to say thank you. Nick, your one line
was the fix, started working as soon as that line was in. We also followed your recommendation and removed the state types.iptables -I POSTROUTING -t nat -s your_LAN_subnet -d 10.1.5.32 -p tcp --dport 25 -j SNAT --to-source your_LAN_interface_IP
Apologies for the months delay, but as this is a production system, we don't get many time windows to do testing. Now the firewall rules and VPNs are sorted will be on to the AD integration.
Suggestions all very much appreciated. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
That syntax should probably work from the command line, but from the custom firewall module or /etc/clearos/firewall.d/local, please change "iptables" to "$IPTABLES" (which more or less calls "iptables -w").
I do find the rules a little odd. Incoming port forwarding normally has 3 rules (PREROUTING, FORWARD, POSTROUTING). When you tried to use your WAN IP you specified -s twice instead of -s and -d in your PREROUTING rule. I am also unsure of the role of the 192.162.216.0/22 address range when the mail is coming from the internet.
FWIW you should not need "-m state --state NEW,ESTABLISHED,RELATED" as that is all traffic anyway.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »