[Firehol-support] Newbie question. NAT / DNAT? or port redirection ?

Andre Marenke andre.marenke at ampwest.com.au
Wed Feb 11 06:36:02 GMT 2004


On Wed, 2004-02-11 at 17:09, Alejandro Pizano wrote:
> We recived also an email account from our ISP, you know, a pop3 / smtp 
> account on their server (fixed ip),
> On one windows pc (local lan i tried to configure outlook in 
> order to acces the mail account, so  i started my research,  I know it has 
> something to do with IPTABLES
Using Firehol, you won't have to do with iptables yourself. Firehol is a
bash script frontend, which in turn generates the iptables for you.

> First I alllowed conection to smtp (25) , pop3( 110) and imap ports.  I only 
> got this: Error unable to connect to server.
Going by your configuration below, you have allowed access to
smtp/pop/imap from your lan to your server as well as from the internet
to your server. See corrections below.

> Could someone please tell me what to do? what  I`m doing wrong?, or what to 
> read?
Read all the documentation at firehol.sf.net again. In itself it
provides a great start to understanding firewalls. Create rules restart
firehol and see how iptables change (using `firehol status`)

Try the following script for a very basic setup and then add in more as
you read the manual to tighten your firewall.
(my comments prefixed with *)

# Internal Network IP Address
* Leave this line out at the beginning. You are not using it in your
script. Once everything is working, you can tag this on to your routers
using the src/dst tags

# Transparent Proxy
transparent_squid 8080 "squid root" inface eth1

# My LAN. Everything is allowed here.
interface eth1 lan
         server  samba   accept
         server  squid   accept
         server  ssh     accept
*#         server  http    accept
*#         server  pop3    accept
*#         server  smtp    accept
         server  dhcp    accept
*#         server  imap    accept
         policy  reject
* if your server does not have pop/smtp/http/imap running, leave those
servers out. For outgoing connections, you'll have to define a router.

interface eth0 internet
         protection      strong  10/sec 10
*#         server  pop3    accept
*#         server  smtp    accept
         server  dhcp    accept
*#         server  imap    accept
         server  ssh     accept
*#         server  http    accept
         server  ident   reject with tcp-reset
         client  all     accept
* same as above. 

*router lan2internet inface eth1 outface eth0
*         masquerade
*	 route pop3 accept
*	 route smtp accept
*	 route imap accept
* you want to route traffic from your lan to the internet. That's why
you need to specify those services here. They are supposed to pass from
interface eth1 to eth0. Changed the router name to make it sound more
logical. Plus fixed the masquerading

Have a go with this script and you should be fine. 


More information about the Firehol-support mailing list