Firewall and NAT

Neil Marjoram n.marjoram at adastral.ucl.ac.uk
Mon Nov 1 16:13:48 UTC 2004 

Can someone help me, this is driving me nuts!

I currently run sendmail on port 25, I have had a requirement to install
smtp_auth, which all works fine. However I now find out that one of my
users ISP's blocks port 25 so he can't access the mail anyway.

The answer? NAT port 10025 or what ever to port 25.

The solution?

I followed the firewall instructions and set up a rule, but it does not
seem to work, here's my iptables file, and the output from an iptables
list. Can anyone tell me what stupid mistake I have made.


# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 143 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 993 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 2049 --state NEW
-j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 25 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 80 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j
ACCEPT
# Accept connections for webmin
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 1.2.3.0/255.255.255.0 -i eth0
--dport 10000 -j ACCEPT
# Accept SMTP_AUTH on 10025
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 10025 --state NEW
-j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# SMTP_AUTH
-A PREROUTING -p tcp -m tcp -d 1.2.3.4 -i eth0:3 --dport 10025 -j DNAT
--to-destination 1.2.3.4:25
COMMIT
# Completed

NAT table :

Chain PREROUTING (policy ACCEPT 109 packets, 10385 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 DNAT       tcp  --  eth0:3 any     anywhere            
host.mydomain.uk 	tcp dpt:10025 to:1.2.3.4:25

Chain POSTROUTING (policy ACCEPT 647 packets, 48457 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain OUTPUT (policy ACCEPT 647 packets, 48457 bytes)
 pkts bytes target     prot opt in     out     source              
destination


Chains :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
 208K  273M RH-Firewall-1-INPUT  all  --  any    any    
anywhere             anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 RH-Firewall-1-INPUT  all  --  any    any    
anywhere             anywhere

Chain OUTPUT (policy ACCEPT 131K packets, 29M bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source              
destination
  416 23160 ACCEPT     all  --  lo     any     anywhere            
anywhere
   18   504 ACCEPT     icmp --  any    any     anywhere            
anywhere            icmp any
    0     0 ACCEPT     ipv6-crypt--  any    any     anywhere            
anywhere
    0     0 ACCEPT     ipv6-auth--  any    any     anywhere            
anywhere
 208K  273M ACCEPT     all  --  any    any     anywhere            
anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:imap
    2   284 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:imaps
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:nfs
    8   352 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:smtp
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:https
    1   100 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:ssh
    1    60 ACCEPT     tcp  --  eth0   any     1.2.3.0/24     
anywhere            tcp dpt:10000
    0     0 ACCEPT     tcp  --  any    any     anywhere            
anywhere            state NEW tcp dpt:10025
   77  9053 REJECT     all  --  any    any     anywhere            
anywhere            reject-with icmp-host-prohibited

Many thanks,

Neil.

-- 
Neil Marjoram.
Systems Manager
University College London
Adastral Park Campus
Martlesham Heath
Ipswich
Suffolk
IP5 3RL

More information about the fedora-list mailing list