[NTLUG:Discuss] Redhat 7.2, iptables & qpopper

Stan Tigrett stigrett at killer-webs.com
Mon Feb 4 11:11:07 CST 2002 

I'm having a problem accessing our pop3 mail from outside our firewall, which is running iptables (The firewall machine is also handles email for the organization, running sendmail & qpopper).  All machines on the internal network can access it fine, but no external access is allowed.  It seems to me that the problem is in the iptables setup, but I can't seem to enable it.  Any help is much appreciated...

More details:
$EXTIP = external (routable) ip address of firewall
$INTIP = internal (non-routable) ip address of firewall

nmap $EXTIP executed from any external address returns:
(The 1536 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http
111/tcp    open        sunrpc
1024/tcp   open        kdm

nmap $EXTIP executed from the firewall itself returns:
(The 1536 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
110/tcp    open        pop-3
111/tcp    open        sunrpc
1024/tcp   open        kdm

Running telnet $EXTIP 110 from an external address returns:
Connection actively refused.

Running telnet $EXTIP 110 from the firewall returns the standard qpopper banner & welcome message.

Here are my current iptables rules:
#begin firewall
modprobe iptable_nat
/sbin/iptables -F
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.100:80
/sbin/iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.1 -s 192.168.1.0/24 --dport 80 -j SNAT --to 192.168.1.100
/sbin/iptables -A INPUT -s 0/0 -p tcp --destination-port 110 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
#end firewall

And iptables -L yields:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Any ideas?  ssh & smtp both work fine from anywhere.

Thanks - 
Stan

More information about the Discuss mailing list