21
case you use ipchains (resp. iptables) tool for network ltering an appropriate rules will be as follows.
Kernel 2.2.X:
ipchains-IINPUT-ptcp-s192.168.1.0/24-d0.0.0.0/025\
-jREDIRECT2525
Kernel2.4.X:
iptables-IPREROUTING-tnat-ptcp-s192.168.1.0/24--dport25\
-jREDIRECT--to-ports2525
Now all the communication arrives to the nod32smtp that can be checked in the module logging output. Note
that the port 2525 with this setting provides an open relay as nod32smtp accepts all the packets that arrive on port
2525 (including packets from outside the local network). The daemon nod32smtp forwards this trac to port 25 that
is interpreted by MTA as a local communication on the so called loop-back interface and therefore will not be rejected
by MTA rules. You can solve this problem by ensuring that all communication with port 2525 will be disabled except the
local network communication. Use following ipchains (resp. iptabels) rules to do so.
Kernel 2.2.X:
ipchains-IINPUT-ptcp-s!192.168.1.0/24-d0.0.0.0/02525\
-jREJECT
Kernel 2.4.X:
iptables-IINPUT-ptcp-s!192.168.1.0/24--dport2525\
-jDROP
Note that the BSD OS uses ipfw tools for network ltering. Thus in case of BSD OS an appropriate rules for
communication rerouting from the LAN arriving on port 25 to port 2525 will be as follows.
natd-interfacexl0-redirect_porttcp192.168.1.10:252525
where xl0 is the network interface of the server computer with IP address 192.168.1.10. To add the diverting rule
into the ipfw rewall you have to enter following rule.
/sbin/ipfwadddivertnatdallfromanytoanyviaxl0
Note that in order to have ipfw rewall and natd daemon working properly, the BSD OS kernel has to be compiled
with the options IPFIREWALL and IPDIVERT. Moreover the following options has to be written into ’/etc/rc.conf’.
gateway_enable=“YES“
rewall_enable=“YES“
rewall_type=“OPEN“
Now all the communication arrives to the nod32smtp that can be checked in the module logging output. Note
that the port 2525 with this setting provides an open relay as nod32smtp accepts all the packets that arrive on port
2525 (including packets from outside the local network). The daemon nod32smtp forwards this trac to port 25 that
is interpreted by MTA as a local communication on the so called loop-back interface and therefore will not be rejected
by MTA rules. You can solve this problem by ensuring that all communication with port 2525 will be disabled except the
local network communication. Use following ipfw rule to do so.
ipfwadddenytcpfromnot192.168.1.0/24to192.168.1.102525viaxl0
chapter 4 / Integration with E-mail Messaging System
To Next Page
Loading...
Need help?
General
