Basically I am try to forward ports 25,80, and 110 on my firewall's ext nic to my Exchange2k server. Example... Firewall Ext NIC (209.98.52.145) -> Exchange Server (192.168.110.215). I don't see anything denied in the packetfilter log.
I hope this doesn't get munged too bad.
Thanks... -Paul
==Here is my config==
Current packet filter rules
Chain INPUT (policy DROP)
target prot opt source destination
LOCAL all -- 0.0.0.0/0 0.0.0.0/0
PSD_MATCHER all -- 0.0.0.0/0 0.0.0.0/0
FIX_CONNTRACK all -- 0.0.0.0/0 0.0.0.0/0
AUTO_INPUT all -- 0.0.0.0/0 0.0.0.0/0
TTT_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
LOCAL all -- 0.0.0.0/0 0.0.0.0/0
PSD_MATCHER all -- 0.0.0.0/0 0.0.0.0/0
FIX_CONNTRACK all -- 0.0.0.0/0 0.0.0.0/0
AUTO_FORWARD all -- 0.0.0.0/0 0.0.0.0/0
USR_FORWARD all -- 0.0.0.0/0 0.0.0.0/0
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP)
target prot opt source destination
LOCAL all -- 0.0.0.0/0 0.0.0.0/0
FIX_CONNTRACK all -- 0.0.0.0/0 0.0.0.0/0
AUTO_OUTPUT all -- 0.0.0.0/0 0.0.0.0/0
TTT_ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOGDROP all -- 0.0.0.0/0 0.0.0.0/0
Chain AUTO_FORWARD (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain AUTO_INPUT (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
LOGDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443
LOGDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443
LOGDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain AUTO_OUTPUT (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FIX_CONNTRACK (3 references)
target prot opt source destination
LOGDROP udp -- 192.168.110.237 192.168.110.255 udp spt:137 dpt:137
LOGDROP udp -- 192.168.110.255 192.168.110.237 udp spt:137 dpt:137
LOGDROP udp -- 192.168.110.245 192.168.110.255 udp spt:138 dpt:138
LOGDROP udp -- 192.168.110.255 192.168.110.245 udp spt:138 dpt:138
Chain LOCAL (3 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain LOGDROP (10 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0
LOG udp -- 0.0.0.0/0 0.0.0.0/0
LOG esp -- 0.0.0.0/0 0.0.0.0/0
LOG ah -- 0.0.0.0/0 0.0.0.0/0
LOG icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -f 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain PSD_ACTION (0 references)
target prot opt source destination
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5
Chain PSD_MATCHER (2 references)
target prot opt source destination
Chain TTT_ACCEPT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1:65535 dpt:222
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpts:33000:34000
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 code 0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:113
Chain USR_FORWARD (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 192.168.110.215 tcp spts:1024:65535 dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80
ACCEPT tcp -- 0.0.0.0/0 192.168.110.215 tcp spts:1024:65535 dpt:110
ACCEPT all -- 10.0.0.0/8 0.0.0.0/0
ACCEPT all -- 172.16.0.0/12 0.0.0.0/0
ACCEPT all -- 192.168.0.0/16 0.0.0.0/0
Current NAT rules
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
SPOOF_DROP all -- 0.0.0.0/0 0.0.0.0/0
AUTO_NAT_PRE all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
AUTO_NAT_POST all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AUTO_NAT_OUT all -- 0.0.0.0/0 0.0.0.0/0
Chain AUTO_NAT_OUT (1 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 209.98.52.145 tcp spts:1024:65535 dpt:25 to:192.168.110.215:25
DNAT tcp -- 0.0.0.0/0 209.98.52.145 tcp spts:1024:65535 dpt:80 to:192.168.110.215:80
DNAT tcp -- 0.0.0.0/0 209.98.52.145 tcp spts:1024:65535 dpt:110 to:192.168.110.215:110
Chain AUTO_NAT_POST (1 references)
target prot opt source destination
MASQUERADE all -- 10.0.0.0/24 0.0.0.0/0
MASQUERADE all -- 192.168.110.215 0.0.0.0/0
MASQUERADE all -- 192.168.110.0/24 0.0.0.0/0
Chain AUTO_NAT_PRE (1 references)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 209.98.52.145 tcp spts:1024:65535 dpt:25 to:192.168.110.215:25
DNAT tcp -- 0.0.0.0/0 209.98.52.145 tcp spts:1024:65535 dpt:80 to:192.168.110.215:80
DNAT tcp -- 0.0.0.0/0 209.98.52.145 tcp spts:1024:65535 dpt:110 to:192.168.110.215:110
Chain LOGDROP (0 references)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0
LOG udp -- 0.0.0.0/0 0.0.0.0/0
LOG esp -- 0.0.0.0/0 0.0.0.0/0
LOG ah -- 0.0.0.0/0 0.0.0.0/0
LOG icmp -- 0.0.0.0/0 0.0.0.0/0
LOG all -f 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain SPOOF_DROP (1 references)
target prot opt source destination
LOG all -- 192.168.110.254 0.0.0.0/0
DROP all -- 192.168.110.254 0.0.0.0/0
LOG all -- 209.98.52.144/28 0.0.0.0/0
DROP all -- 209.98.52.144/28 0.0.0.0/0
LOG all -- 10.0.0.0/24 0.0.0.0/0
DROP all -- 10.0.0.0/24 0.0.0.0/0
LOG all -- 209.98.52.145 0.0.0.0/0
DROP all -- 209.98.52.145 0.0.0.0/0
LOG all -- 192.168.110.0/24 0.0.0.0/0
DROP all -- 192.168.110.0/24 0.0.0.0/0
LOG all -- 10.0.0.0/24 0.0.0.0/0
DROP all -- 10.0.0.0/24 0.0.0.0/0
LOG all -- 10.0.0.1 0.0.0.0/0
DROP all -- 10.0.0.1 0.0.0.0/0
LOG all -- 192.168.110.0/24 0.0.0.0/0
DROP all -- 192.168.110.0/24 0.0.0.0/0
LOG all -- 209.98.52.144/28 0.0.0.0/0
DROP all -- 209.98.52.144/28 0.0.0.0/0
================================
Internal NIC
192.168.110.254/24
External NIC
209.98.52.145/28
Dmz NIC
10.0.0.1/24
================================
Routing Table
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
209.98.52.144 0.0.0.0 255.255.255.240 U 0 0 0 eth1
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.110.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 209.98.52.158 0.0.0.0 UG 0 0 0 eth1
================================
Definitions: Add network
Name IP address Subnet mask
Dmz Network 10.0.0.0 10.0.0.0 255.255.255.0
Exchange MailServer 192.168.110.215 255.255.255.255
Firewall-Dmz 10.0.0.1 255.255.255.255
Firewall-Ext-145 209.98.52.145 255.255.255.255
Firewall-Int 192.168.110.254 255.255.255.255
Internal Network 192.168.110.0 192.168.110.0 255.255.255.0
Any 0.0.0.0 0.0.0.0
localhost 127.0.0.1 255.255.255.255
Private Network 10.0.0.0 10.0.0.0 255.0.0.0
Private Network 172.16.0.0 172.16.0.0 255.240.0.0
Private Network 192.168.0.0 192.168.0.0 255.255.0.0
================================
Enter new DNAT definition:
Pre DNAT destination Post DNAT destination Network: Service: Network:
Firewall-Ext-145 SMTP Exchange MailServer SMTP
Firewall-Ext-145 HTTP Exchange MailServer HTTP
Firewall-Ext-145 POP3 Exchange MailServer POP3
====================================
Masquerading
Dmz Network 10.0.0.0 --> External NIC
Internal Network 192.168.110.0 --> External NIC
====================================
Packet Filter Rules
Nr From (Client) Service To (Server) Action Command
1 Any SMTP Exchange MailServer Allow
2 Any HTTP Any Allow
3 Any POP3 Exchange MailServer Allow
4 { Private Networks - RFC1918 } Any Any Allow
Guest User!
You are not Sophos Staff.
