Operating System - Linux
1830899 Members
2518 Online
110017 Solutions
New Discussion

failed to redirect smtp traffic on gateway to mail server on lan

 
Maaz
Valued Contributor

failed to redirect smtp traffic on gateway to mail server on lan

the MX record of our mail server points to the gateway machine, so all the emails from internet hits our gateway machine.
On gateway, we configure the DNAT to redirect the tcp port 25 trafic comming from internet to the mail server on our lan(192.168.0.5).
The Iptables script we are using on our gateway machine is attached.

Problem is that after applying the rules(rules attached), mails are not redirected by the gateway machine to the 192.168.0.5(actual mail server)

from Internet, I failed to connect on port 25(via telnet) on the gateway machine.

Please help
7 REPLIES 7
Matti_Kurkela
Honored Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

1.) Does the incoming email traffic from Internet reach your gateway machine?

Your rule script's "$IPTABLES -A FORWARD -j LOG" is the last of the forwarding rules, so only the packets that will not match the previous forwarding rules are logged.

For testing, move the logging rule to the first position in the FORWARD chain, and add a similar rule to the first position of the INPUT chain. This will allow you to see all the incoming and forwarded traffic. Or if this causes too many log messages, make some email-specific logging rules, like this:

$IPTABLES -A INPUT -p tcp --dport 25 -j LOG
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG

Place these rules in the beginning of their respective chains to see all the email traffic in the logs.

(Tcpdump won't help much here: it sees only what manages to get through the INPUT chain, and the DNAT rule will send all the email packets to the FORWARD chain instead of the INPUT chain.)

2.) Is the actual mail server (192.168.0.5) set up to accept incoming traffic from anywhere?

When the traffic is forwarded by the gateway server, only the destination address is changed. From the viewpoint of the mail server, the incoming traffic is originating from the Internet, not from the gateway server. If you've used libwrap, tcpwrapper or any application-level rules to limit the mail server to accept connections from your network only, you must remove those limitations.

MK
MK
Alexander Chuzhoy
Honored Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

Salam Maaz,
for the redirection add another rule:
$IPTABLES -t nat -I POSTROUTING -j MASQUERADE

and run the following command:
`echo 1 > /proc/sys/net/ipv4/ip_forward`
Maaz
Valued Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

Hi Alexander Chuzhoy

>for the redirection add another rule:
$IPTABLES -t nat -I POSTROUTING -j MASQUERADE

I have already this rule in the last of my script.

>and run the following command:
`echo 1 > /proc/sys/net/ipv4/ip_forward`
Forwarding is also included in the script, you may find it on the top of the script.
Maaz
Valued Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

Thanks Matti Kurkela for help

I have insert the following rules on top of all other rules

$IPTABLES -A INPUT -p tcp --dport 25 -j LOG
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG

then try to telnet from internet on port 25, failed as usual.

when I telnet from Internet, I got the following messages...from /var/log/messages

Apr 1 11:33:28 KS200 kernel: IN=eth0 OUT=eth1 src=a.b.c.d DST=192.168.0.5 LEN=60 TOS=0x10 PREC=0x00 TTL=54 ID=42301 DF PROTO=TCP SPT=54165 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
Apr 1 11:33:40 KS200 kernel: IN=eth0 OUT=eth1 src=a.b.c.d DST=192.168.0.5 LEN=60 TOS=0x10 PREC=0x00 TTL=54 ID=42302 DF PROTO=TCP SPT=54165 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

(I have replaced the telnet-client/smtp-client ip with a.b.c.d)

> Is the actual mail server (192.168.0.5) set up to accept incoming....
Yes I have connect actual mail server directly to the internet, and was successful, everything went smooth.

> ...If you've used libwrap, tcpwrapper or any application-level rules..
no application-level rules are applied.

Execute the telnet on port 25 On the gateway machine, from Internet, and ran the following two commands on gateway machine :
# tcpdump -i eth0 |grep a.b.c.d
# tcpdump -i eth1 |grep a.b.c.d
Where a.b.c.d is the ip of telnet-client/smtp-client on internet
I got the following output

for eth0(internet or $EXTIF):

14:27:51.285505 a.b.c.d.57583 > static-hostW-X-Y-Z.link.net.pk.smtp: S 3688692994:3688692994 win 65535 (DF)

for eth1(lan or $INTIF):

14:33:05.637345 a.b.c.d.57615 > 192.168.0.5.smtp: S 1370253693:1370253693 win 65535 (DF)

14:33:05.637493 192.168.0.5.smtp > a.b.c.d.57615: S 1472469121:1472469121 ack 1370253694 win 16384

14:33:07.976528 192.168.0.5.smtp > a.b.c.d.57615: S 1472469121:1472469121 ack 1370253694 win 16384

Where 192.168.0.5 is ip of actual email server, and a.b.c.d is the client on internet.

On the Intenet client, after telnet on port 25, I ran netstat -ant|grep 25

tcp 0 1 a.b.c.d:43259 W.X.Y.Z:25 SYN_SENT

Regards
Matti_Kurkela
Honored Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

As you can see from the iptables logging lines, the gateway machine is redirecting the incoming connection just fine.

The output of your tcpdump from eth1 has three lines:
- on the first line, the client a.b.c.d sends a SYN packet to begin opening a new connection
- on the second, 192.168.0.5 is sending a SYN/ACK to a.b.c.d. The next step in the TCP three-way handshake would be an ACK packet from a.b.c.d to 192.168.0.5, but
- on the third line, 192.168.0.5 is sending the SYN/ACK again, because it has waited a while and got no response so far.

The netstat output of a.b.c.d confirms this: the connection is in state SYN_SENT, because SYN/ACK has not been received yet. So something is stopping the SYN/ACK packet on the way from 192.168.0.5 to a.b.c.d.

The added iptables logging rules (at the beginning of the ruleset) are catching the incoming messages nicely, but responses to them are not caught. You might add still one more line at the beginning of the FORWARD chain:
$IPTABLES -A FORWARD -p tcp -i $INTIF --sport 25 -j LOG

This should catch all the responses from the mail server and show what the gateway machine is doing with them.

When diagnosing iptables configuration, I generally prefer iptables LOG output over tcpdumps: as tcpdump is "just" an userspace program, the kernel-level iptables can do things without tcpdump noticing it.

MK
MK
Maaz
Valued Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

Thanks Once again Matti Kurkela for continuous help

Now script contains the following three LOG rules on top of all other rules.

$IPTABLES -A INPUT -p tcp --dport 25 -j LOG
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
$IPTABLES -A FORWARD -p tcp -i $INTIF --sport 25 -j LOG

Once again from Internet telnet-client/smtp-client(a.b.c.d), I telnet the gateway machine, failed as usual. But for your kind consideration I am sending the logs of iptables

Apr 4 10:56:46 KS200 kernel: IN=eth0 OUT=eth1 src=124.29.192.176 DST=192.168.0.5 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=54070 DF PROTO=TCP SPT=51286 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 4 10:56:46 KS200 kernel: IN=eth1 OUT=eth0 src=192.168.0.5 DST=124.29.192.176 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31494 PROTO=TCP SPT=25 DPT=51286 WINDOW=16384 RES=0x00 ACK SYN URGP=0

Apr 4 10:56:49 KS200 kernel: IN=eth1 OUT=eth0 src=192.168.0.5 DST=124.29.192.176 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31497 PROTO=TCP SPT=25 DPT=51286 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Apr 4 10:56:49 KS200 kernel: IN=eth0 OUT=eth1 src=124.29.192.176 DST=192.168.0.5 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=54222 DF PROTO=TCP SPT=51286 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 4 10:56:55 KS200 kernel: IN=eth1 OUT=eth0 src=192.168.0.5 DST=124.29.192.176 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=31502 PROTO=TCP SPT=25 DPT=51286 WINDOW=16384 RES=0x00 ACK SYN URGP=0
Apr 4 10:56:55 KS200 kernel: IN=eth0 OUT=eth1 src=124.29.192.176 DST=192.168.0.5 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=54556 DF PROTO=TCP SPT=51286 DPT=25 WINDOW=65535 RES=0x00 SYN URGP=0


and again on the Intenet client, after telnet on port 25, I ran netstat -ant|grep 25

tcp 0 1 a.b.c.d:43259 W.X.Y.Z:25 SYN_SENT

Thanks and Regards
Maaz
Maaz
Valued Contributor

Re: failed to redirect smtp traffic on gateway to mail server on lan

Thanks Matti Kurkela for help

we are also running some other network related scripts, and one of them(network related script) contains the following rules

$IPTABLES -A INPUT -i $INTIF -p tcp --dport 10000:65535 -j DROP
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 10000:65535 -j DROP

the above rules are actual problem.

Nice help
Regards