September 2nd, 2009, 05:47 PM
Hey everyone,

I've got a mailserver behind my firewall which forwards all connections to port 25/143 to the internal address External connections work great, however when I attempt to connect to the external IP address on port 25/143 from the internal network, the connection is refused or just hangs.

Any thoughts?

echo "Flushing iptables rules..."
iptables -F
iptables -t nat -F
iptables -t mangle -F

echo "Enabling kernel forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Denying SYN floods..."
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "Setting default policies..."
iptables -P INPUT DROP
iptables -P FORWARD DROP

# LAN routing to internet
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# SMTP traffic
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT

# IMAP traffic
iptables -A FORWARD -p tcp --dport 143 -j ACCEPT

# Established connections
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Accepting (some) external connections to the router..."
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Accepting local connections to the router..."
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

echo "Setting up NAT..."
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to

echo "Forwarding mail traffic"
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination
iptables -t nat -A PREROUTING -p tcp --dport 143 -j DNAT --to-destination