In one of the offices, we have a 50-computers network, which had only one server machine:
- Windows 2003 Server
- Microsoft ISA Server
- Microsoft Exchange 2003
This server worked as a gateway (proxy server), mail server, file server, firewall and domain controller. It had two network interfaces, one for WAN (let's say 222.222.222.222) and one for LAN (192.168.1.1). I set up a Linux box to be the gateway (without a proxy), so the Linux box now has the following interfaces: 222.222.222.222 (our external IP, we removed it from the Windows machine) and 192.168.1.100 (internal IP), but we need to keep the old Windows server as a mail server and a proxy for some of our users, until we prepare another Linux machine for that, so I need the mail server on that machine to be available from the Internet. I set up iptables rules to redirect all the incoming connections on the 25th and 110th ports of our external IP to 192.168.1.1:25 and 192.168.1.1:110 and when I try to telnet our SMTP service
telnet 222.222.222.222 25
I get the greetings from our windows server's (192.168.1.1) SMTP service, and that's works fine. But when I telnet POP3 service
telnet 222.222.222.222 110
I only get the blank black screen and the connection seem to disappear if I press any button. I've checked the ISA rules - everything seems to be the same for 110th and 25th ports. When I telnet on 110th ports of our Windows server from our new gateway machine like this:
telnet 192.168.1.1 110
I get the acces to it's POP3 service:
+OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1
(...) ready.
What sould I do, to make the POP3 service available through our new gateway?
UPD: my iptables config looks like this:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N bad_packets
-N bad_tcp_packets
-N icmp_packets
-N tcp_inbound
-N tcp_outbound
-N udp_inbound
-N udp_outbound
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 192.168.1.0/24 -i eth0 -j ACCEPT
-A INPUT -d 192.168.1.255/32 -i eth0 -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -j tcp_inbound
-A INPUT -i eth1 -p udp -j udp_inbound
-A INPUT -i eth1 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
-A FORWARD -j bad_packets
-A FORWARD -i eth0 -p tcp -j tcp_outbound
-A FORWARD -i eth0 -p udp -j udp_outbound
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
-A FORWARD -d 192.168.1.1/32 -i eth1 -p udp -m udp --dport 110 -j ACCEPT
-A FORWARD -d 192.168.1.1/32 -i eth1 -p udp -m udp --dport 25 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.1.100/32 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "
-A bad_packets -s 192.168.1.0/24 -i eth1 -j LOG --log-prefix "fp=bad_packets:2 a=DROP "
-A bad_packets -s 192.168.1.0/24 -i eth1 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "fp=bad_packets:1 a=DROP "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth0 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 21 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --sport 20 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
Please verify that the connection control properties under the "Access" tab of the "POP3 Virtual Server properties" permit "All except the list below".
Please see screenshot: http://www.iainlbc.com/pop3.jpg
I would not recommend you to leave unencrypted POP3 accessible. You can use this stunnel on your linux box (see http://www.sysdesign.ca/guides/secure_pop3.html for example) to provide POP3s.
This will not only secure your e-mail access from stolen passwords, but also solve your problem, as connection will be made locally. I recommend to do the same for SMTP as well, but you will have to leave port 25 available for incoming mail.
If you're not using ISA as a firewall anymore, but only as a proxy, you should remove all rules from its configuration and only create a single "allow all traffic from anywhere to anywhere" policy; Running ISA on the same box as Exchange and a DC can get quite messy.
You should also check that your IPTABLES configuration actually allows external connections to the internal POP3 service, and that Exchange's POP3 service doesn't have any block list configured.
Also, you should test your services from outside your network: routing can become painful when you're starting from your LAN, going out via NAT and then coming back via a NATted public IP to an internal server.
Edit:
I'm quite puzzled by your IPTABLES configuration.
You wrote:
But SMTP and POP3 are TCP protocols, not UDP ones!
Also, you're doing this:
These rules accept connections to those ports when they're directed to the firewall itself (INPUT chain), but then how are you forwarding them to internal servers? I don't see any port forwarding here.
I also don't see any NAT being done here... but I was under the impression that your Linux firewall had a public IP address on its external interface.
Well as others have pointed out, you need to have the POP3 service listening to any interface and not only the former external one. I can't help with that, but: Use
to verify that you see something like
and not
The latter meaning that only connection attempts to the 222-IP reach the POP3 service. Depending on the firewall configuration, your connection attempts will stall (port in "stealth mode" or "act as dead when approached", throwing away silently) or be disconnected immediately (ICMP port unreachable or TCP RST-packet sent).
You can also check that the connection attempt reaches the POP3 service machine at all by using a packet sniffer like Wireshark on the Windows server.
Hardly worthy of an answer, but it may help you figure the problem out better: https://www.testexchangeconnectivity.com/ Using the last 2 tests on that page and perhaps some other ones, you may be able to get links to Microsoft's KB to solve the problem.
Good luck
OK, the iptables configuration is either wrong or incomplete. For such a configuration you should be using the nat module and the PREROUTING table.
Check if a
iptables -nL -t natshows you something different.What you're trying to do is DNAT (Destination Network Address Translation). The correct invocation for it would be:
Good luck,
João Miguel Neves