|
Still haven't gotten my head fully wrapped around
iptables and am having some problems getting at my mail server on the LAN (also
SSH on that machine, but that is another question).
My setup is:
eth0 - external interface at 10.10.10.254 with IP
Aliases of 10.10.10.250, 10.10.10.251, 10.10.10.252, and 10.10.10.253.
eth1 is the gateway for the LAN at
192.168.77.1
This machine is acting as the gateway for my
private LAN and is also my VPN server. I can't connect to ports 25 and 110
(SMTP and POP) from the outside world. The machine which I am trying to
conenct to is at 192.168.77.2 and I've set up aliases on it just for the sake of
clarity at 192.169.77.80 and 192.168.77.110 where the 80 one is for virtual
hosts in Apache (which the forwarding is working fine for) and the 110 one is
where I am trying access my mail server. There currently is no
firewall on this internal machine, so there is very little to get in the way of
communication. Below is my configuration file (yes, it has been created
through the iptables-save function and some hand editing, I'm not much of a
scripter) I probably have a POSTROUTING rule configured incorrectly or
something of that nature I'd guess.
I also realize that this is a rather unsecure set
of rules, so some basic things I could add along the way would be
appreciated.
Thanks!
-michael
*filter
:INPUT ACCEPT [0:229546] -A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT -A INPUT -p tcp -j ACCEPT -A INPUT -p esp -j ACCEPT -A INPUT -p ah -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j ACCEPT :FORWARD ACCEPT [0:1487351] -A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT -A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 25 -j ACCEPT -A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT -A FORWARD -d 192.168.77.0/255.255.255.0 -i eth0 -p tcp -m tcp --dport 110 -j ACCEPT -A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 22 -j ACCEPT -A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 25 -j ACCEPT -A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 80 -j ACCEPT -A FORWARD -s 192.168.77.0/255.255.255.0 -i eth1 -p tcp -m tcp --sport 110 -j ACCEPT -A FORWARD -i eth1 -j ACCEPT :OUTPUT ACCEPT [0:619218] -A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT -A OUTPUT -p tcp -j ACCEPT -A OUTPUT -p esp -j ACCEPT -A OUTPUT -p ah -j ACCEPT -A OUTPUT -o lo -j ACCEPT COMMIT *nat
:PREROUTING ACCEPT [0:65535] -A PREROUTING -d 10.10.10.250 -i eth1 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.77.2:22 -A PREROUTING -d 10.10.10.250 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.2:80 -A PREROUTING -d 10.10.10.251 -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.80:80 -A PREROUTING -d 10.10.10.252 -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.77.110:25 -A PREROUTING -d 10.10.10.252 -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.77.110:110 :POSTROUTING ACCEPT [0:9862] -A POSTROUTING -d 192.168.77.110 -o eth1 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.10.10.252 -A POSTROUTING -d 192.168.77.110 -o eth1 -p tcp -m tcp --dport 110 -j SNAT --to-source 10.10.10.252 -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254 :OUTPUT ACCEPT [66:4152] COMMIT *mangle
:PREROUTING ACCEPT [13512:2397711] :INPUT ACCEPT [8743:614224] :FORWARD ACCEPT [4559:1760428] :OUTPUT ACCEPT [6375:628610] :POSTROUTING ACCEPT [10849:2382506] COMMIT |
