RE: SMTP HTTP port allow

RE: SMTP HTTP port allow

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 978 bytes --]

Well... have you tried it??
 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au 
Citadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698  <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: ads nat [mailto:adsnat@yahoo.com]
Sent: Wednesday, August 27, 2003 9:50 PM
To: George Vieira; netfilter@lists.netfilter.org
Subject: RE: SMTP HTTP port allow


My code has become as follows :
 
******
iptables -A POSTROUTING -t nat -p tcp --dport 25 -j MASQUERADE

iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d 207.106.22.35 --dport 21 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****

Is this O.K.
Thanks

[-- Attachment #2: Type: text/html, Size: 4158 bytes --]

RE: SMTP HTTP port allow

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 4526 bytes --]

I have tried it. But it is not working. Anyway. I am giving my settings and problems so that you can understand it better.
 
I am getting bandwidth through ISP coming to my server having Linux 8.0 and acting as Linux router and running squid as proxy and cache server.
 
SETTINGS
 
Following are settings in my "/etc/rc.d/rc.local" file
 
***
touch /var/lock/subsys/local
route del default gw 202.183.69.129 dev eth0
iptunnel add tunnel0 mode ipip local 202.183.69.130 remote 202.183.73.206 ttl 255
ip link set tunnel0 up
ip addr add 202.63.162.62/30 dev tunnel0
route add default gw 202.63.162.61 dev tunnel0
route add -net 202.183.73.204 netmask 255.255.255.252 gw 202.183.69.129
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface tunnel0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
 
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*******
 
I have commented file "/etc/sysconf/iptables" totally and it is stopped.

 
PROBLEMS - 1
 
When I try to send email to squid mailing list from LAN user. I get following error.
***
 
This is a permanent error; I've given up. Sorry it didn't work out.
<squid-users@squid-cache.org>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME 
Content-Type 'multipart/alternative' (#5.2.3)
--- Below this line is a copy of the message.
Return-Path: <adssquid@yahoo.com>
Received: (qmail 65674 invoked from network); 27 Aug 2003 11:00:53 
-0000
Received: from web20502.mail.yahoo.com (216.136.226.137)
  by squid-cache.org with SMTP; 27 Aug 2003 11:00:53 -0000
Message-ID: <20030827110050.81255.qmail@web20502.mail.yahoo.com>
Received: from [203.94.221.44] by web20502.mail.yahoo.com via HTTP; 
Wed, 27 Aug 2003 04:00:50 PDT
Date: Wed, 27 Aug 2003 04:00:50 -0700 (PDT)
From: ads squid <adssquid@yahoo.com>
Subject: RE: [squid-users] delay pool problem
To: Adam Aube <aaube@firstindependent.net>, squid-users@squid-cache.org
In-Reply-To: <000001c36c08$42969990$647fa8c0@firstindependent.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="0-181363567-1061982050=:80891"
--0-181363567-1061982050=:80891
Content-Type: text/plain; charset=us-ascii
***
 
My LAN user can send email to this (nat) mailing list.
 
Also my users complain that they can not send email from outlook express to email id  xyz@vsnl.com.  using LAN machine, But can send from outside dialup connection. At the same time they can send emails from yahho.com, hotmail.com, etc.
 
PROBLEM - 2
 
When I try to upload files to my web servrice provider(outside) through my LAN machine It accept login, password. Says Login successful  but gives following error
 
***
retrieving directory listing...
COMMAND:> PORT 192,168,0,42,5,249
500 Illegal PORT command.
STATUS:> Error opening data socket
****
I am using Cuteftp for uploading.
 
When I try to upload same web service provider from dialup connection I can uploads files.
 
I think there is somwthing to be done at my IPtable setting and rc.local settings.
It is blocking access to outside.
 
I spoke to web server provider and ISP and they said they have not blocked anything from their side.
 
I think this will give clear idea about settings and problems so that you can guide in better manner.
 
If you need any more info. let me know.
Sorry for delay in reply.
Thanks

George Vieira <georgev@citadelcomputer.com.au> wrote:
Well... have you tried it??
 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty LtdSystems Managergeorgev AT citadelcomputer DOT com DOT auCitadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644HelpDesk: +61 2 9955 2698http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: ads nat [mailto:adsnat@yahoo.com]
Sent: Wednesday, August 27, 2003 9:50 PM
To: George Vieira; netfilter@lists.netfilter.org
Subject: RE: SMTP HTTP port allow


My code has become as follows :
 
******
iptables -A POSTROUTING -t nat -p tcp --dport 25 -j MASQUERADE

iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d 207.106.22.35 --dport 21 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****

Is this O.K.
Thanks


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 9369 bytes --]

RE: SMTP HTTP port allow

[ads nat]

[-- Attachment #1.1: Type: text/plain, Size: 3697 bytes --]

Sorry for delay in reply. I was away.
I tried as you said but didi not worked.
 
I will brief about my settings and problems. Also attaching my rc.local file.
 
I am getting bandwidth form ISP. It comes to my Linux 8.0 server which acts as router(through tennelling). Squid is installed on Linux server which distributes bandwidth to LAN users.
 
I am attching rc.local file which gives settings. IPTABLES file is totally commented.
 
Problem -1.
When I try to send email to squid mailing list from LAN user I get following :
 
Hi. This is the qmail-send program at squid-cache.org.
I'm afraid I wasn't able to deliver your message to the following error :
****
This is a permanent error; I've given up. Sorry it didn't work out.
<squid-users@squid-cache.org>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME 
Content-Type 'multipart/alternative' (#5.2.3)
--- Below this line is a copy of the message.
Return-Path: <adssquid@yahoo.com>
Received: (qmail 65674 invoked from network); 27 Aug 2003 11:00:53 
-0000
Received: from web20502.mail.yahoo.com (216.136.226.137)
  by squid-cache.org with SMTP; 27 Aug 2003 11:00:53 -0000
Message-ID: <20030827110050.81255.qmail@web20502.mail.yahoo.com>
Received: from [203.94.221.44] by web20502.mail.yahoo.com via HTTP; 
Wed, 27 Aug 2003 04:00:50 PDT
Date: Wed, 27 Aug 2003 04:00:50 -0700 (PDT)
From: ads squid <adssquid@yahoo.com>
Subject: RE: [squid-users] delay pool problem
To: Adam Aube <aaube@firstindependent.net>, squid-users@squid-cache.org
In-Reply-To: <000001c36c08$42969990$647fa8c0@firstindependent.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="0-181363567-1061982050=:80891"
--0-181363567-1061982050=:80891
Content-Type: text/plain; charset=us-ascii

*****
PROBLEM -1 
 
Also LAN user can not send send email from outlook express.
 
When I send it from users machine with Dialup connection (Not my LAN supply) then mail goes in both cases.
 
PROBLEM -2
When I try to upload files to UNIX ftp server/ web server of web service provider who hosts my web site (Different from bandwidth provider) it gives following error :
 

Login successful

COMMAND:> TYPE I

200 Type set to I.

COMMAND:> pwd

257 "/" is current directory.

COMMAND:> TYPE A

200 Type set to A.

STATUS:> Retrieving directory listing...

COMMAND:> PORT 192,168,0,42,4,62

500 Illegal PORT command.

STATUS:> Error opening data socket :

 
I am using Cute ftp for uploading.
 
When I upload through dialup connection it goes without problem
 
I spoke with bandwidth supplier and webserver provider. They there must be problems with my settings.
 
Thanks for help
 
 
 
 
George Vieira <georgev@citadelcomputer.com.au> wrote:
Well... have you tried it??
 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty LtdSystems Managergeorgev AT citadelcomputer DOT com DOT auCitadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644HelpDesk: +61 2 9955 2698http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: ads nat [mailto:adsnat@yahoo.com]
Sent: Wednesday, August 27, 2003 9:50 PM
To: George Vieira; netfilter@lists.netfilter.org
Subject: RE: SMTP HTTP port allow


My code has become as follows :
 
******
iptables -A POSTROUTING -t nat -p tcp --dport 25 -j MASQUERADE

iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d 207.106.22.35 --dport 21 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****

Is this O.K.
Thanks



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #1.2: Type: text/html, Size: 8694 bytes --]

[-- Attachment #2: rc.local --]
[-- Type: application/octet-stream, Size: 2451 bytes --]

#!/bs script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

#!/bs script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
route del default gw 202.183.69.129 dev eth0
iptunnel add tunnel0 mode ipip local 202.183.69.130 remote 202.183.73.206 ttl 255
ip link set tunnel0 up
ip addr add 202.63.162.62/30 dev tunnel0
route add default gw 202.63.162.61 dev tunnel0
route add -net 202.183.73.204 netmask 255.255.255.252 gw 202.183.69.129
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface tunnel0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

#iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -o eth1  -j SNAT --to 207.106.22.35:80
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128

#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 4662 -j DROP
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 1214 -j DROP
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 4672 -j DROP

#
he other init scripts.

#iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -o eth1  -j SNAT --to 207.106.22.35:80
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128

RE: SMTP HTTP port allow

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 5701 bytes --]

I tried to reply you twice, somehow emails are not going out through my LAN machine.
I tried as you adviced but it didn't work.
 
Please find my rc.local file below. My iptables file is totally commented and restarted.
 
I am facing following probles.
 
PROBLEM-1
 
When I try to send email to squid emailing list I get following error.
****
Hi. This is the qmail-send program at squid-cache.org.
I'm afraid I wasn't able to deliver your message to the following 
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<squid-users@squid-cache.org>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME 
Content-Type 'multipart/alternative' (#5.2.3)
--- Below this line is a copy of the message.
Return-Path: <adssquid@yahoo.com>
Received: (qmail 65674 invoked from network); 27 Aug 2003 11:00:53 
-0000
Received: from web20502.mail.yahoo.com (216.136.226.137)
  by squid-cache.org with SMTP; 27 Aug 2003 11:00:53 -0000
Message-ID: <20030827110050.81255.qmail@web20502.mail.yahoo.com>
Received: from [203.94.221.44] by web20502.mail.yahoo.com via HTTP; 
Wed, 27 Aug 2003 04:00:50 PDT
Date: Wed, 27 Aug 2003 04:00:50 -0700 (PDT)
From: ads squid <adssquid@yahoo.com>
Subject: RE: [squid-users] delay pool problem
To: Adam Aube <aaube@firstindependent.net>, squid-users@squid-cache.org
In-Reply-To: <000001c36c08$42969990$647fa8c0@firstindependent.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="0-181363567-1061982050=:80891"
--0-181363567-1061982050=:80891
Content-Type: text/plain; charset=us-ascii
*****
Also my LAN users can not send emails through outlook express.
However when email can be send through dialup connection of LAN user. 

 
 
PROBLEM -2 
 
When I try to upload files from LAN user to my outside webserver provider through CuteFTP it gives following message
****
 Login successful
COMMAND:> TYPE I
 200 Type set to I.
COMMAND:> pwd
 257 "/" is current directory.
COMMAND:> TYPE A
 200 Type set to A.
STATUS:> Retrieving directory listing...
COMMAND:> PORT 192,168,0,42,4,62
 500 Illegal PORT command.
STATUS:> Error opening data socket 
*****
 
I can upload files to my webserver from dialup connection.
 
My rc.local is as follows :

#!/bs script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
#!/bs script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
route del default gw 202.183.69.129 dev eth0
iptunnel add tunnel0 mode ipip local 202.183.69.130 remote 202.183.73.206 ttl 255
ip link set tunnel0 up
ip addr add 202.63.162.62/30 dev tunnel0
route add default gw 202.63.162.61 dev tunnel0
route add -net 202.183.73.204 netmask 255.255.255.252 gw 202.183.69.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface tunnel0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -o eth1  -j SNAT --to 207.106.22.35:80
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 4662 -j DROP
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 1214 -j DROP
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 4672 -j DROP
#
he other init scripts.
#iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -o eth1  -j SNAT --to 207.106.22.35:80
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****
 
Thanks for help
 


George Vieira <georgev@citadelcomputer.com.au> wrote:
Well... have you tried it??
 

Thanks,

 
____________________________________________
George Vieira
Citadel Computer Systems Pty LtdSystems Managergeorgev AT citadelcomputer DOT com DOT auCitadel Computer Systems Pty Ltd
Phone : +61 2 9955 2644HelpDesk: +61 2 9955 2698http://www.citadelcomputer.com.au
 
 
-----Original Message-----
From: ads nat [mailto:adsnat@yahoo.com]
Sent: Wednesday, August 27, 2003 9:50 PM
To: George Vieira; netfilter@lists.netfilter.org
Subject: RE: SMTP HTTP port allow


My code has become as follows :
 
******
iptables -A POSTROUTING -t nat -p tcp --dport 25 -j MASQUERADE

iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d 207.106.22.35 --dport 21 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****

Is this O.K.
Thanks


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 10176 bytes --]

SMTP HTTP port allow

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 4806 bytes --]

I can not reply to email there is some problem therefore separate email.
 
 
I tried to reply you twice, somehow emails are not going out through my LAN machine.
I tried as you adviced but it didn't work.
Please find my rc.local file below. My iptables file is totally commented and restarted.
I am facing following probles.
PROBLEM-1
When I try to send email to squid emailing list I get following error.
****
Hi. This is the qmail-send program at squid-cache.org.
I'm afraid I wasn't able to deliver your message to the following 
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<squid-users@squid-cache.org>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME 
Content-Type 'multipart/alternative' (#5.2.3)
--- Below this line is a copy of the message.
Return-Path: <adssquid@yahoo.com>
Received: (qmail 65674 invoked from network); 27 Aug 2003 11:00:53 
-0000
Received: from web20502.mail.yahoo.com (216.136.226.137)
  by squid-cache.org with SMTP; 27 Aug 2003 11:00:53 -0000
Message-ID: <20030827110050.81255.qmail@web20502.mail.yahoo.com>
Received: from [203.94.221.44] by web20502.mail.yahoo.com via HTTP; 
Wed, 27 Aug 2003 04:00:50 PDT
Date: Wed, 27 Aug 2003 04:00:50 -0700 (PDT)
From: ads squid <adssquid@yahoo.com>
Subject: RE: [squid-users] delay pool problem
To: Adam Aube <aaube@firstindependent.net>, squid-users@squid-cache.org
In-Reply-To: <000001c36c08$42969990$647fa8c0@firstindependent.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; 
boundary="0-181363567-1061982050=:80891"
--0-181363567-1061982050=:80891
Content-Type: text/plain; charset=us-ascii
*****
Also my LAN users can not send emails through outlook express.
However when email can be send through dialup connection of LAN user. 

PROBLEM -2 
When I try to upload files from LAN user to my outside webserver provider through CuteFTP it gives following message
****
 Login successful
COMMAND:> TYPE I
 200 Type set to I.
COMMAND:> pwd
 257 "/" is current directory.
COMMAND:> TYPE A
 200 Type set to A.
STATUS:> Retrieving directory listing...
COMMAND:> PORT 192,168,0,42,4,62
 500 Illegal PORT command.
STATUS:> Error opening data socket 
*****
I can upload files to my webserver from dialup connection.
My rc.local is as follows :
#!/bs script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
#!/bs script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
route del default gw 202.183.69.129 dev eth0
iptunnel add tunnel0 mode ipip local 202.183.69.130 remote 202.183.73.206 ttl 255
ip link set tunnel0 up
ip addr add 202.63.162.62/30 dev tunnel0
route add default gw 202.63.162.61 dev tunnel0
route add -net 202.183.73.204 netmask 255.255.255.252 gw 202.183.69.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface tunnel0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -o eth1  -j SNAT --to 207.106.22.35:80
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 4662 -j DROP
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 1214 -j DROP
#iptables -A FORWARD -s 0/0 -d 0/0 -p tcp --dport 4672 -j DROP
#
he other init scripts.
#iptables -t nat -A POSTROUTING -p tcp --dport 25 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -o eth1  -j SNAT --to 207.106.22.35:80
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE
#iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****

SMTP HTTP port allow 



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 5764 bytes --]

Re: SMTP HTTP port allow

[Ramin Dousti]

On Wed, Aug 27, 2003 at 08:40:20PM +1000, George Vieira wrote:

> You have not used MASQUERADE in your POSTROUTING rules or haven't showed
> it..
> 
> iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d
> 207.106.22.35 --dport 80 -j MASQUERADE
> iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d
> 207.106.22.35 --dport 80 -j MASQUERADE
> 
> 
> without the rules above, the 192.168.0.XX packets leave the network out into
> the internet and eventually get dropped by some ISP...

Again and again, a correction to the statement above. The ISP's do not
drop these packets because the src is private IP. It's the return packets
which would be dropped because the "defaultless" core routers don't know
where to forward them.

Ramin

Re: SMTP HTTP port allow

[Jeffrey Laramie]

ads nat wrote:

> I am implimenting iptables for first time.
> I want to allow all my LAN users to send emails to SMTP (port no. 
> 25) all destination with following code. :
>  
> ***
> iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
> ***

That looks fine. If you want to test a specific rule, replace ACCEPT 
with LOG and test it. Use --log-prefix to identify these entries. In 
your case:

iptables -A FORWARD -p tcp --dport 25 -j LOG --log-prefix 
"dport_25_packet: "

>  
> I also want to allow LAN users having ip 192.168.0.42 192.168.0.23 to 
> upload contents to webserver on ip 207.106.22.35 (outside of LAN) with 
> following code.
>  
> ***
> iptables -A FORWARD -p tcp -s 192.168.0.42 192.168.0.23 -d 
> 207.106.22.35 --dport 80 -j ACCEPT
> ***
>  
> I would loke know whether It works or not.
> Tell me whether my code is O.K. also where can i check logs.

iptables uses the kernel system log. In my Redhat system that can be 
found as /var/log/messages.

> Thanks
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder 
> <http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> - 
> Free, easy-to-use web site design software 

RE: SMTP HTTP port allow

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 1925 bytes --]

My code has become as follows :
 
******
iptables -A POSTROUTING -t nat -p tcp --dport 25 -j MASQUERADE

iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d 207.106.22.35 --dport 21 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 21 -j MASQUERADE

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
*****

Is this O.K.
Thanks

George Vieira <georgev@citadelcomputer.com.au> wrote:
You have not used MASQUERADE in your POSTROUTING rules or haven't showed it..
 
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d 207.106.22.35 --dport 80 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d 207.106.22.35 --dport 80 -j MASQUERADE
 
 
without the rules above, the 192.168.0.XX packets leave the network out into the internet and eventually get dropped by some ISP...
 
-----Original Message-----
From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of ads nat
Sent: Wednesday, August 27, 2003 4:53 PM
To: netfilter@lists.netfilter.org
Subject: SMTP HTTP port allow


I am implimenting iptables for first time. 
I want to allow all my LAN users to send emails to SMTP (port no. 25) all destination with following code. :
 
***
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
***
 
I also want to allow LAN users having ip 192.168.0.42 192.168.0.23 to upload contents to webserver on ip 207.106.22.35 (outside of LAN) with following code. 
 
***
iptables -A FORWARD -p tcp -s 192.168.0.42 192.168.0.23 -d 207.106.22.35 --dport 80 -j ACCEPT
***
 
I would loke know whether It works or not.
Tell me whether my code is O.K. also where can i check logs.
Thanks




---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software 

---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 3575 bytes --]

RE: SMTP HTTP port allow

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 1394 bytes --]

You have not used MASQUERADE in your POSTROUTING rules or haven't showed
it..

iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.42 -d
207.106.22.35 --dport 80 -j MASQUERADE
iptables -A POSTROUTING -t nat -p tcp -s 192.168.0.23 -d
207.106.22.35 --dport 80 -j MASQUERADE


without the rules above, the 192.168.0.XX packets leave the network out into
the internet and eventually get dropped by some ISP...

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of ads nat
Sent: Wednesday, August 27, 2003 4:53 PM
To: netfilter@lists.netfilter.org
Subject: SMTP HTTP port allow


I am implimenting iptables for first time.
I want to allow all my LAN users to send emails to SMTP (port no. 25) all
destination with following code. :

***
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT

***

I also want to allow LAN users having ip 192.168.0.42 192.168.0.23 to upload
contents to webserver on ip 207.106.22.35 (outside of LAN) with following
code.

***
iptables -A FORWARD -p tcp -s 192.168.0.42 192.168.0.23 -d
207.106.22.35 --dport 80 -j ACCEPT
***

I would loke know whether It works or not.
Tell me whether my code is O.K. also where can i check logs.
Thanks



----------------------------------------------------------------------------
----
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 2886 bytes --]

SMTP HTTP port allow

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 704 bytes --]

I am implimenting iptables for first time. 
I want to allow all my LAN users to send emails to SMTP (port no. 25) all destination with following code. :
 
***
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
***
 
I also want to allow LAN users having ip 192.168.0.42 192.168.0.23 to upload contents to webserver on ip 207.106.22.35 (outside of LAN) with following code. 
 
***
iptables -A FORWARD -p tcp -s 192.168.0.42 192.168.0.23 -d 207.106.22.35 --dport 80 -j ACCEPT
***
 
I would loke know whether It works or not.
Tell me whether my code is O.K. also where can i check logs.
Thanks




---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 975 bytes --]