On Fri, 2007-10-26 at 11:05 -0700, Huck wrote: > also...is it somehow possible that the webserver on the SM machine only > accepts requests from INTERAL subnet addresses? Check the iptables on the machine to see if port 80 is blocked for non-local addresses. Since that machine runs squid, you will need to have a redirect rule for internal IPs only to use squid. Non-internal IPs should proceed unaltered to the web server. -OR- make the rule for squid to only use squid if the destination IP is Not the local IP. > > --Huck > > James P. Kinney III wrote: > > Is the SquirrelMail machine > > 1. Behind a firewall > > 2. different from the imap server > > 3. different from the smtp server > > ? > > > > A common scenario is to have SM on the mail machine running both smtp > > and imap behind the firewall. If that is the case, all that is needed is > > to open up port 80 and 443 at the firewall and direct the traffic to the > > SM/smtp server. > > > > iptables -t nat -I PREROUTING -d <public facing IP> -p tcp -m tcp > > --dports 80,443 -j DNAT --to-destination <internal machine IP> > > > > iptables -I FORWARD -p tcp -m tcp -m state --state NEW --dports 80,443 > > -j ACCEPT > > iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > The incoming packets have to cross BOTH the nat AND filter tale so nat > > is used to redirect (--dports may not be in your kernel so use --dport > > and two rules instead). Now the packet is "inside" the system and needs > > to be allowed to be forwarded so the next rule happens. But we still > > don't trust it so the state is checked and only related transfers happen > > afterwards. > > > > Port numbers: You don't need to allow access to port 143 to the outside > > world unless people are checking their email with a client from home. > > If so, you need to set up TLS/SSL encryption or else you will be staring > > at a security breach in the future. > > > > I HIGHLY recommend the excellent book "Real World Linux Security" by Bob > > Toxen (ISBN # 0-13-046456-2) for anyone tasked/cursed with hardening > > Linux systems. Bob was on the team that ported Unix to Silicon Graphics > > hardware and currently a system security guru. > > > > On Thu, 2007-10-25 at 18:48 -0700, Huck wrote: > >> fought with this for the past hour...gave up again. > >> it's my 3rd attempt..this is on a stand-alone debian box with no gui. > >> > >> I tried the following: > >> > >> iptables -t nat -I PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j > >> DNAT --to 10.1.3.5:143 > >> iptables -t nat -I PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j > >> DNAT --to 10.1.3.5:80 > >> > >> didn't work so tried: > >> > >> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 80 -j > >> DNAT --to-destination 10.1.3.5 > >> iptables -t nat -A PREROUTING -d $ETH0IP -p tcp -m tcp --dport 143 -j > >> DNAT --to-destination 10.1.3.5 > >> > >> > >> am I thinking backwards ? I copied what I have for my e-mail port 25 to > >> be redirected to my email server...and that I know works =) > >> > >> --Huck > >> > >> Mr Barry Cisna wrote: > >>> Huck, > >>> > >>> To allow users "at home" access to your SM server , just port forward on > >>> your border firewall. > >>> For example your SM servers internal IP address is 1.2.3.4 and you have an > >>> public ip range for your school of 4.3.2.1-4.3.2.10, just port forward > >>> 1.2.3.4 ,> 4.3.2.1. > >>> You will need to port forward, both tcp 143 and tcp 80 to the public ip > >>> address. > >>> To test get on a box "outside" of your lan and do 'telnet publicipaddress > >>> 143' and 'telnet publicipaddress 80'. if you get a response on both of > >>> these port numbers your users can access your SM at home as easy as they > >>> can at school. > >>> > >>> Take Care, > >>> > >>> Barry Cisna > >>> > >>> _______________________________________________ > >>> K12OSN mailing list > >>> K12OSN redhat com > >>> https://www.redhat.com/mailman/listinfo/k12osn > >>> For more info see <http://www.k12os.org> > >>> > >>> > >> _______________________________________________ > >> K12OSN mailing list > >> K12OSN redhat com > >> https://www.redhat.com/mailman/listinfo/k12osn > >> For more info see <http://www.k12os.org> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> _______________________________________________ > >> K12OSN mailing list > >> K12OSN redhat com > >> https://www.redhat.com/mailman/listinfo/k12osn > >> For more info see <http://www.k12os.org> > > _______________________________________________ > K12OSN mailing list > K12OSN redhat com > https://www.redhat.com/mailman/listinfo/k12osn > For more info see <http://www.k12os.org> > -- James P. Kinney III CEO & Director of Engineering Local Net Solutions,LLC 770-493-8244 http://www.localnetsolutions.com GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics) <jkinney localnetsolutions com> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
Attachment:
signature.asc
Description: This is a digitally signed message part