Hi,
I'm using RH7.3 with iptables as my firewall...my DMZ is working great. My email server works fine in my LAN (was able to send out), but smtp does not work when it's in the DMZ. My firewall is somehow blocking my smtp port...I'm able to receive email without any problem. I thought I opened port (TCP) 25 in my DMZ...so why doesn't it work?
I thought this part of my script should open all ports from my DMZ
$intif is my Internet
$dmz is my DMZ Nic
$iptables -A FORWARD -i $dmz -o $intif -m state --state NEW -j ACCEPT
$iptables -A FORWARD -i $dmz -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Here's my entire script
``````````````````````````````````````````````````````
#!/bin/sh
# Firewall script by Master B
iptables=/sbin/iptables
intif="eth0"
lan="eth2"
dmz="eth1"
dmz_ip="10.0.0.0/8"
$iptables -F
/sbin/depmod -a
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
$iptables -t nat -F
$iptables -t nat -A POSTROUTING -o $intif -j MASQUERADE
#
# IP Spoofing
#
$iptables -t nat -A PREROUTING -i $intif -s 192.168.0.0/24 -j DROP
$iptables -t nat -A PREROUTING -i $intif -s 10.0.0.0/8 -j DROP
$iptables -t nat -A PREROUTING -i $intif -s 172.16.0.0/16 -j DROP
#
# DMZ zone
#
$iptables -t nat -A PREROUTING -p TCP -m multiport -i $intif --dport 21,22,25,110,80,443 -j DNAT --to 10.0.0.10
$iptables -A FORWARD -p TCP -i $dmz -o $intif --dport 25 -j ACCEPT
$iptables -A FORWARD -p TCP -i $dmz -j ACCEPT
$iptables -A FORWARD -p ALL -i $dmz -o $intif -j ACCEPT
$iptables -A FORWARD -p tcp -i $intif --dport 80 -o $dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $lan -o $dmz -j ACCEPT
#
# LAN Section
#
$iptables -A FORWARD -i $lan -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# DMZ Section
$iptables -A FORWARD -i $dmz -o $intif -m state --state NEW -j ACCEPT
$iptables -A FORWARD -i $dmz -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Logging information
#
$iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
$iptables -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"
$iptables -A INPUT -p ALL -i $lan -d 192.168.1.0/24 -j ACCEPT
$iptables -A INPUT -p TCP -i $dmz -d 10.0.0.0/8 -j ACCEPT
# All established and related packets incoming from the internet to the firewall
$iptables -A INPUT -p ALL -i $intif -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p ALL -s 192.168.1.0/24 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 127.0.0.1/8 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 24.82.32.77/24 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 10.0.0.0/8 -j ACCEPT
``````````````````````````````````````````````````````````
I appreciate any advice!
Tk.
I'm using RH7.3 with iptables as my firewall...my DMZ is working great. My email server works fine in my LAN (was able to send out), but smtp does not work when it's in the DMZ. My firewall is somehow blocking my smtp port...I'm able to receive email without any problem. I thought I opened port (TCP) 25 in my DMZ...so why doesn't it work?
I thought this part of my script should open all ports from my DMZ
$intif is my Internet
$dmz is my DMZ Nic
$iptables -A FORWARD -i $dmz -o $intif -m state --state NEW -j ACCEPT
$iptables -A FORWARD -i $dmz -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Here's my entire script
``````````````````````````````````````````````````````
#!/bin/sh
# Firewall script by Master B
iptables=/sbin/iptables
intif="eth0"
lan="eth2"
dmz="eth1"
dmz_ip="10.0.0.0/8"
$iptables -F
/sbin/depmod -a
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
$iptables -t nat -F
$iptables -t nat -A POSTROUTING -o $intif -j MASQUERADE
#
# IP Spoofing
#
$iptables -t nat -A PREROUTING -i $intif -s 192.168.0.0/24 -j DROP
$iptables -t nat -A PREROUTING -i $intif -s 10.0.0.0/8 -j DROP
$iptables -t nat -A PREROUTING -i $intif -s 172.16.0.0/16 -j DROP
#
# DMZ zone
#
$iptables -t nat -A PREROUTING -p TCP -m multiport -i $intif --dport 21,22,25,110,80,443 -j DNAT --to 10.0.0.10
$iptables -A FORWARD -p TCP -i $dmz -o $intif --dport 25 -j ACCEPT
$iptables -A FORWARD -p TCP -i $dmz -j ACCEPT
$iptables -A FORWARD -p ALL -i $dmz -o $intif -j ACCEPT
$iptables -A FORWARD -p tcp -i $intif --dport 80 -o $dmz -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -i $lan -o $dmz -j ACCEPT
#
# LAN Section
#
$iptables -A FORWARD -i $lan -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# DMZ Section
$iptables -A FORWARD -i $dmz -o $intif -m state --state NEW -j ACCEPT
$iptables -A FORWARD -i $dmz -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Logging information
#
$iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
$iptables -A INPUT -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died:"
$iptables -A INPUT -p ALL -i $lan -d 192.168.1.0/24 -j ACCEPT
$iptables -A INPUT -p TCP -i $dmz -d 10.0.0.0/8 -j ACCEPT
# All established and related packets incoming from the internet to the firewall
$iptables -A INPUT -p ALL -i $intif -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -p ALL -s 192.168.1.0/24 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 127.0.0.1/8 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 24.82.32.77/24 -j ACCEPT
$iptables -A OUTPUT -p ALL -s 10.0.0.0/8 -j ACCEPT
``````````````````````````````````````````````````````````
I appreciate any advice!
Tk.
