Doug Sampson wrote:
I want to port forward any packets sent to port 25 on the external interface to an internal email server but I seem to be having trouble doing so. I've made the necessary changes to the network config file but the changes aren't taking hold. I've rebooted the server twice to no avail (I'm a M$ techie :) ).Here's the network config file condensed: <snip>
<snip>
# TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS="xxx.xxx.0.0/16_ssh 0/0_www 0/0_8080 0/0_25" <--edited to hide actual addrs
This looks OK. <snip>
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
INTERN_SERVERS="tcp_${EXTERN_IP}_smtp_192.168.1.4_smtp
tcp_${EXTERN_IP}_8080_192.168.1.15_www
# These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available #INTERN_WWW_SERVER=192.168.1.1 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access
<snip>
OK, are several things that could be going wrong, besides mis-configuration (it looks like you've got everything setup properly, but I can't tell for sure without the full output of "net ipfilter list").Running the Port Probe function at www.grc.com reveals port 25 to be in stealth mode which under any other circumstances would be great but not under the current circumstance! The same probe shows port 80 to be open which is what I intended. The IP address for our email server is 192.168.1.4. It's an Exchange box with ports SMTP, POP3, and IMAP opened. Currently running Dachstein CD 1.0.2.
1) Your ISP is blocking port 25. This is fairly common, and is typically encountered along with blocking of port 80. To test this, keep the EXTERN_TCP_PORTS setting above, but comment out the INTERN_SERVERS port-forwarding setting. This will let packets through your firewall, but they will have nowhere to go (no listening service or port-forward), so the firewall will send out a TCP reset packet. GRC should show this as a "closed" port, rahter than "open" or "stealth". You can also try a normal traceroute to your box, then a traceroute using TCP port 25 packets, to see if your ISP is filtering traffic (Note you have to do this from *OUTSIDE* your ISP's network).
2) Your firewall is actually mis-configured, and your firewall rules or port-forwarding setup is preventing packets from getting to your mail server, even though your network.conf settings look OK. Send the output of "net ipfilter list" so we can verify your setup and/or trace packets as they make their way through your network (with ipchains packet counts/logging, tcpdump, or some other means).
3) Your mail server is off-line, or you are port-forwarding to the wrong internal IP. Try telneting to the internal IP of your mail server from a box on the internal network, and see if you can connect and manually walk through an SMTP session (type "HELO" then "QUIT" for a minimal test).
Reading between the lines, I strongly suspect your ISP is blocking trafifc to port 25. This is typically done along with blocking inbound web traffic to port 80, and I notice you are using port 8080 to forward to your internal web server, but have still opened port 80 to the world (perhaps from a previous unsuccessful attempt to port-forward normal web traffic?). Regardless, post the requested "net ipfilter list" output for debugging, along with the results of the above tests if you can't get things working. Some details about your ISP (including where your are, as folks like RoadRunner and Cox do things differently in different cities) would also help.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
