nixCraft

B!n@ry · #1 (**permalink**) 12-12-2006, 03:43 PM

Hello,

This is my first post here, thanx to all of the stff of it.
I have read the following article:
http://www.cyberciti.biz/tips/linux-...uid-howto.html

which is about making a transperent proxy using squid. Everything is fine and http is running wonderful, but the problem is how can I make clients who are connected to this server to send and recieve mail ? They are unable to do so now, I have tried alot of iptables rules still didn't get to the answer.

Is there anyone who can help me ?

Best Regards,
ReMSiS

rockdalinux · #2 (**permalink**) 12-12-2006, 04:06 PM

Assuming that eth0 (interface 0) connected to Internet and has 192.168.1.254 IP address.

Assuming that eth1 (interface 1) connected to LAN has 192.168.1.1 IP

*** Following two ruleset for outgoing SMTP requests ***
Iptables rules for eth0 SMTP outgoing client request to Internet

Code:

iptables -A OUTPUT -p tcp -s 192.168.1.254 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -jACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 192.168.1.254 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

eth1 SMTP forwarded outgoing client request from LAN using POSTROUTING table

Code:

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 0/0 --dport 25 -j SNAT --to 192.168.1.254
iptables -A OUTPUT -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 192.168.1.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

*** Following two ruleset for incoming SMTP requests ***

eth0 SMTP incoming client request form Internet

Code:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.254 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.254 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

eth1 SMTP incoming client request from LAN

Code:

iptables -A INPUT -p tcp -s 192.168.1.0/24 --sport 1024:65535 -d 192.168.1.1 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.1 --sport 25 -d 192.168.1.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Adjust IP and subnet and as per your setup.

Hope this helps!

B!n@ry · #3 (**permalink**) 12-12-2006, 04:35 PM

Thanx rockdalinux for your support. I use eth0 for local with 192.168.0.1 for it and use 192.168.1.2 for eth1

How can I block the chatting ports like yahoo, msn messengers? and open pop3 110 ?

rockdalinux · #4 (**permalink**) 12-12-2006, 08:46 PM

POP3 from Lan

Code:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.2 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.2 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

and pop3 from Internet

Code:

iptables -A INPUT -p tcp -s 192.168.0.1/24 --sport 1024:65535 -d 192.168.1.2 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.2 --sport 110 -d 192.168.0.1/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --sport 1024:65535 -d 192.168.0.1 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 --sport 110 -d 192.168.0.1/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Make sure IP and subnet adjusted according to your setup.

To block Yahoo, MSN use port number with iptables

B!n@ry · #5 (**permalink**) 12-13-2006, 12:29 PM

Ok lets finalize the case my script shall be like this:

Code:

SQUID_SERVER="192.168.0.1"
INTERNET="eth1"
LAN_IN="eth0"
SQUID_PORT="3120"
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT


iptables -A OUTPUT -p tcp -s 192.168.1.1 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -jACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 192.168.1.1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -p tcp -s 192.168.0.0/24 --sport 1024:65535 -d 0/0 --dport 25 -j SNAT --to 192.168.1.1
iptables -A OUTPUT -p tcp -s 192.168.0.0/24 --sport 1024:65535 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 25 -d 192.168.0.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.1 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.1 --sport 25 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.0/24 --sport 1024:65535 -d 192.168.0.1 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 --sport 25 -d 192.168.0.0/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.1.2 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.2 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


iptables -A INPUT -p tcp -s 192.168.0.1/24 --sport 1024:65535 -d 192.168.1.2 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.2 --sport 110 -d 192.168.0.1/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.1/24 --sport 1024:65535 -d 192.168.0.1 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.1 --sport 110 -d 192.168.0.1/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 

iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

am I right or wrong ?

B!n@ry · #6 (**permalink**) 12-13-2006, 12:40 PM

By the way the topology used is:
eth1 = 192.168.1.2 connected to internet by GW
GW for eth1 = 192.168.1.1
eth0 = 192.168.0.1 connected to internet by proxy server
Proxy = 192.168.0.1

B!n@ry · #7 (**permalink**) 12-13-2006, 01:34 PM

By the way yesterday it worked fine using the original script

Quote:

#!/bin/bash
# squid server IP
SQUID_SERVER=“192.168.0.1″
# Interface connected to Internet
INTERNET=“eth1″
# Interface connected to LAN
LAN_IN=“eth0″
# Squid port
SQUID_PORT=“3128″
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

Today it stopped working. Now only the http is working mail and others are not !!!

Any suggestions ?

B!n@ry · #8 (**permalink**) 12-13-2006, 03:11 PM

The message I am getting when I try to send and retreive mail is:
Host lookup failed: mail.domain.com: Temporary failure in name resolution

B!n@ry · #9 (**permalink**) 12-13-2006, 03:41 PM

Ok I think I found the problem, when I was connecting from my PC on the LAN I didn't give the interface on it a DNS server IP. When I gave it a DNS Server IP which is a public IP everything went well which means that routing is working fine on my Squid Server.

The question now is:
Is it right to give a DNS server IP ? or the Proxy Server must do the resolution stuff by contacting the GW ?

monk · #10 (**permalink**) 12-13-2006, 07:00 PM

You need to provide DNS server IP; it is legal to use DNS server. You have two choices. One is setup caching DNS server on proxy and use the same.
Second is use ISP DNS server.

Both are fine. You can also use DHCP to distribute this info to windows/linux desktop system.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to open a port	fed111	Web servers	1	03-09-2008 12:26 AM
Plz help me to choose a Free Open source MAIL SERVER	kantijena	Mail Servers	1	02-29-2008 08:01 PM
How to drop all ports except mentioned in script	deltamails	Networking, Firewalls and Security	2	05-15-2007 01:54 PM
Linux : How do I verify which ports are listening?	sweta	Getting started tutorials	0	07-30-2006 11:02 PM
Blocking ports in linux	raj	Linux software	1	07-10-2006 08:31 PM

nixCraft

Open Mail Ports

Open Mail Ports

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Similar Threads