Is the SquirrelMail machine 1. Behind a firewall 2. different from the imap server 3. different from the smtp server ? A common scenario is to have SM on the mail machine running both smtp and imap behind the firewall. If that is the case, all that is needed is to open up port 80 and 443 at the firewall and direct the traffic to the SM/smtp server. iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp --dports 80,443 -j DNAT --to-destination <internal machine IP> iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT The incoming packets have to cross BOTH the nat AND filter tale so nat is used to redirect (--dports may not be in your kernel so use --dport and two rules instead). Now the packet is "inside" the system and needs to be allowed to be forwarded so the next rule happens. But we still don't trust it so the state is checked and only related transfers happen afterwards. Port numbers: You don't need to allow access to port 143 to the outside world unless people are checking their email with a client from home. If so, you need to set up TLS/SSL encryption or else you will be staring at a security breach in the future. I HIGHLY recommend the excellent book "Real World Linux Security" by Bob Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening Linux systems. Bob was on the team that ported Unix to Silicon Graphics hardware and currently a system security guru. On Thu, 2007-10-25 at 18:48 -0700, Huck wrote: > fought with this for the past hour...gave up again. > it's my 3rd attempt..this is on a stand-alone debian box with no gui. > > I tried the following: > > iptables -t nat -I PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j > DNAT --to 10.1.3.5:143 > iptables -t nat -I PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j > DNAT --to 10.1.3.5:80 > > didn't work so tried: > > iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j > DNAT --to-destination 10.1.3.5 > iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j > DNAT --to-destination 10.1.3.5 > > > am I thinking backwards ? I copied what I have for my e-mail port 25 to > be redirected to my email server...and that I know works =) > > --Huck > > Mr Barry Cisna wrote: > > Huck, > > > > To allow users "at home" access to your SM server , just port forward on > > your border firewall. > > For example your SM servers internal IP address is 1.2.3.4 and you have an > > public ip range for your school of 4.3.2.1-4.3.2.10, just port forward > > 1.2.3.4 ,> 4.3.2.1. > > You will need to port forward, both tcp 143 and tcp 80 to the public ip > > address. > > To test get on a box "outside" of your lan and do 'telnet publicipaddress > > 143' and 'telnet publicipaddress 80'. if you get a response on both of > > these port numbers your users can access your SM at home as easy as they > > can at school. > > > > Take Care, > > > > Barry Cisna > > > > _______________________________________________ > > K12OSN mailing list > > K12OSN redhat com > > https://www.redhat.com/mailman/listinfo/k12osn > > For more info see <http://www.k12os.org> > > > > > > _______________________________________________ > K12OSN mailing list > K12OSN redhat com > https://www.redhat.com/mailman/listinfo/k12osn > For more info see <http://www.k12os.org> > -- James P. Kinney III CEO & Director of Engineering Local Net Solutions,LLC 770-493-8244 http://www.localnetsolutions.com GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney localnetsolutions com> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
Attachment:
signature.asc
Description: This is a digitally signed message part