Thursday, February 12, 2009

Forward the smtp packages to another IP on another debian box.

Dear my friends,

I am now building 2 internet gateways.

I distribute the jobload based on the port number. For the first step, I do so:
- pop3 will do outgoing and ingoing through gateway1 whose IP 192.168.23.9 (int net interface) and 202.155.0.179 (ext net interface);
- smtp will do outgoing and ingoing through gateway2 whose IP 192.168.23.2 (int net interface) and 202.155.0.180 (ext net interface).

The default gateway what defined on the workstations is "192.168.23.9".

The POP3 and SMTP servers are provided by my webhosting (yahoo.com). They are: ' pop.bizmail.yahoo.com ' and ' smtp.bizmail.yahoo.com '.

But it does not work as I expect. I have tested on '192.168.23.2" by sending an email from that debby-box and it succeed it.

Where are my mistakes?

Thank you very much in advance.

This is my script.

#!/bin/bash
###############################################################
# Adding default gateway
#/sbin/route add default gateway 202.155.0.177

###############################################################
# Initialize some parameter
INET_INTERFACE="eth0"
LAN_INTERFACE="eth1"
LOOPBACK_INTERFACE="lo"

IPT="/usr/sbin/iptables"
INET_ADDR="202.155.0.179"
DEBBY_LAN="192.168.23.2"
LAN_ADDR="192.168.23.9"
LAN_ADDRESSES="192.168.23.0/24" # LAN Addresses range
LAN_DNS="192.168.23.9" # Please specify your DNS server in LAN

POP3PORT="110"
SMTPPORT="25"
DNSPORT="53"
UNPRIVPORTS="1024:65535" # unprivileged port range

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done

$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]; then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit
fi

$IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP

$IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to $DEBBY_LAN:$SMTPPORT

$IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -j SNAT --to-source $INET_ADDR
$IPT -t nat -A POSTROUTING -p udp -o $INET_INTERFACE -j SNAT --to-source $INET_ADDR

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $POP3PORT -m state --state NEW -j ACCEPT


Selalu bisa chat di profil jaringan, blog, atau situs web pribadi! Yahoo! memungkinkan Anda selalu bisa chat melalui Pingbox. Coba! http://id.messenger.yahoo.com/pingbox/


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment