Home / ubuntu / Questions / 68718
Accepted
Pitto
Asked: 2011-10-19 06:20:56 +0800 CST

Squid proxy server (or iptables) will not let my users send or receive mail

  • 772

I have an Ubuntu 10.04 box that was once configured as Squid Transparent Proxy. Navigation was perfect: my windows clients had no troubles.

The problem I had was that users were not able send or receive mail using outlook (and outlook express). So I've googled here and there and found out a solution:

sudo iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE

sudo iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE

Everything went great.

Now I've enabled squid authentication (the simple one using a text file) and my outlook and outlook express stopped working again. I've read that the problem is not really squid related because it won't proxy smtp or pop... But I still need to solve it. NAT? Port forwarding?

What kind of commands should I use?

The squid server has a single NIC and can get on the internet and solve names using opendns servers witout problems.

configuration on server: ip 192.168.1.210 subnet 255.255.255.0 gateway 192.168.1.5

On clients I use: ip 192.168.1.x subnet 255.255.255.0 gateway 192.168.1.210

I can add further details so please ask but I don't know what could be needed to solve the problem.

EDIT:

sudo iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh

Chain FORWARD (policy ACCEPT)

target prot opt source destination

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

Chain fail2ban-ssh (1 references)

target prot opt source destination

RETURN all -- anywhere anywhere

sudo iptables -L -t nat

Chain PREROUTING (policy ACCEPT)

target prot opt source destination

REDIRECT tcp -- anywhere anywhere tcp dpt:www redir ports 3128

Chain POSTROUTING (policy ACCEPT)

target prot opt source destination

MASQUERADE tcp -- anywhere anywhere tcp dpt:smtp

MASQUERADE tcp -- anywhere anywhere tcp dpt:pop3

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

iptables

1 Answers

  1. Best Answer

    I'm not sure what exactly you're going to achieve. As far as I understand you're going to use the machine with squid as router/firewall for the following scenario:

    1. allow web protocols (http/ftp) through squid only
    2. allow access to smpt/pop3 from your internal network to the outside via NAT.
    3. Your gateway to the internet is 192.168.1.5

    Usually NAT translates from one Network (192.168.1.0/24) to another one (i.e. 84.145.77.23/32) and the other way around. So you might need to setup NAT rules on the your gateway machine 192.168.1.5 in order to work.

    So that the outgoing path is:

    client -> 192.168.1.210 ->NAT-> 192.168.1.5 ->NAT-> mailserver

    And the incoming path for responses is:

    mailserver -> 192.168.1.5 ->NAT-> 192.168.1.210 ->NAT-> client

    As seen here 192.168.1.210 could be eliminated and the gateway could be configured accepting and NATing outgoing smtp/pop3 traffic from all clients and accepting outgoning http(s)/ftp traffic from 192.168.1.210 only.

    Imho the second NAT between 192.168.1.210 and 192.168.1.5 might cause problems (same network) and is unnecessary.

    To enable NAT in general on 192.168.1.210 please try the following first:

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    change eth0 to your network interface name, if necessary.

    • 1