On the advice of a friend (*cough* you know who you
are) and the idea that I like to try new things (and was insanely bored), I
decided to try this.
Previously I had my network router (Debian 2.2
w/ stock kernel, ipchains masqing for several computers) and I also ran www,
smtp, pop3, dns, mysql, ftp and ssh on the router.
On their advice, I decided to move the
services of smtp and pop3 behind my firewall using "ipmasqadm
portfw".
However, now smtp and pop3 are unreachable if you
try going to them via they internet address (Yes, they services
are running on the internal machine, which is IP 192.168.0.2)
Here is my firewall file (at least the rules parts,
I skipped the modprobe stuff for the different modules):
# Begin
ipchains -F # flush ipchains ipmasqadm portfw -f # flush ipmasqadm portfwing # Set policies
ipchains -P input DENY ipchains -P output ACCEPT ipchains -P forward ACCEPT ipchains -A input -p all -i lo -j ACCEPT # Accept
all connections from localhost
ipchains -A input -p all -i eth1 -j ACCEPT # Accept all connections from internal NIC # Forward all connections going to 25/110 on
external interface of router to internal IP of
192.168.0.2 ipmasqadm portfw -a -P tcp -L 24.186.86.160 25 -R
192.168.0.2 25 ipmasqadm portfw -a -P tcp -L 24.186.86.160 110 -R 192.168.0.2 110 ipchains -A input -p all -i eth0 -s
10.0.0.0/8 -j DENY # Refuse connections from priv ips ipchains -A input -p all -i eth0 -s 172.16.0.0/12
-j DENY # Refuse connections from priv ips
ipchains -A input -p all -i eth0 -s 192.168.0.0/16
-j DENY # Refuse connections from priv ips
ipchains -A input -i eth0 -p tcp ! -y -j ACCEPT #
Allow return packets
# Allow specific ICMP stuff
ipchains -A input -i eth0 -p icmp --dport 0 -j
ACCEPT
ipchains -A input -i eth0 -p icmp --dport 3 -j ACCEPT ipchains -A input -i eth0 -p icmp --dport 11 -j ACCEPT # Rules:
ipchains -A input -p udp -j ACCEPT -s 167.206.112.3
53 # Allow DNS from ISP's #1 DNS server
ipchains -A input -p udp -j ACCEPT -s 167.206.112.4 53 # Allow DNS from ISP's #2 DNS server ipchains -A input -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 80 -j ACCEPT # Allow connections to web server ipchains -A input -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 21 -j ACCEPT # Allow connections to ftp ipchains -A input -p tcp -i eth0 -s 0.0.0.0/0 -d 0.0.0.0/0 3336 -j REJECT # REJECT connections to MySQL from outside ipchains -A input -j DENY -l # DENY everything else ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ # Masquerade #EOF
I did "#ipmasqadm portfw -l -n" and got
this:
prot
localaddr
rediraddr
lport rport pcnt pref
TCP 24.186.86.160 192.168.0.2 110 110 3 10 TCP 24.186.86.160 192.168.0.2 25 25 10 10 And nmap -sT shows this:
Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
Host ool-18ba56a0.dyn.optonline.net (24.186.86.160) appears to be up ... good. Initiating TCP connect() scan against ool-18ba56a0.dyn.optonline.net (24.186.86.160) Adding TCP port 21 (state Open). Adding TCP port 80 (state Open). The TCP connect scan took 66 seconds to scan 1511 ports. Interesting ports on ool-18ba56a0.dyn.optonline.net (24.186.86.160): (Not showing ports in state: filtered) Port State Protocol Service 21 open tcp ftp 80 open tcp http Is there a way to force it to show
filtered?
Now I just checked, the router can reach the server
(telnet 192.168.0.2 110).
The error I am getting from MS Outlook Express
is:
"The connection to the server has failed. Account:
'mail.kathweb.net', Server: 'www.kathweb.net', Protocol: POP3, Port: 110,
Secure(SSL): No, Socket Error: 10060, Error Number: 0x800CCC0E"
I also tried telnetting to www.kathweb.net on port 110 from internal (on
my private network) and external (on some machines I administer
remotely) and neither worked.
You guys/gals have any ideas?
James
|