Hello every one
I explain a little bit how is the enviroment and what is the request to fully deploy the PMG at our organization.
The PMG is located at the DMZ, so is needded that this besides does the processing of the SMTP incomming mail, let us pass through and deliver traffic by it self the related with HTTPS (TCP/443), SMTP Submission (TCP/587) and the POP3 Secure (TCP/995) to the Exchange CAS located at the same DMZ (by the way of the SMTP TCP/25 traffic the PMG is delivering to the Exchange CAS without problems).
Even when I've configured the needed iptables DNAT rules and I've enabled the IPv4 packet forwarding for the previously explained inherent traffic to the Excchange CAS in the following manner but it doesn't route this traffic:
#! /usr/bin/bash
ipcmd=/usr/bin/ip
mdprb=/usr/sbin/modprobe
iptb=/usr/sbin/iptables
$ipcmd route delete 172.16.0.17/32 via 172.16.0.27
$ipcmd route add 172.16.0.17/32 via 172.16.0.27
$mdprb ip_nat_ftp
$mdprb ip_conntrack
$mdprb ip_conntrack_ftp
$iptb -t nat -F
$iptb -t nat -A PREROUTING -p icmp --icmp-type 8 -j ACCEPT
#$iptb -t nat -A PREROUTING -p tcp -m multiport --destination-port 443,587,995 -j ACCEPT
$iptb -t nat -A PREROUTING -p tcp --dport 443 -j ACCEPT
$iptb -t nat -A PREROUTING -p tcp --dport 587 -j ACCEPT
$iptb -t nat -A PREROUTING -p tcp --dport 995 -j ACCEPT
$iptb -t nat -A PREROUTING -i ens224 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A PREROUTING -i ens224 -p tcp --dport 587 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A PREROUTING -i ens224 -p tcp --dport 995 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A OUTPUT -p tcp --dport 443 -o ens224 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A OUTPUT -p tcp --dport 587 -o ens224 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A OUTPUT -p tcp --dport 995 -o ens224 -j DNAT --to-destination 172.16.0.17
#$iptb -t nat -A POSTROUTING -o lo -j MASQUERADE
$iptb -t nat -A POSTROUTING -p icmp --icmp-type 8 -j MASQUERADE
$iptb -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
$iptb -t nat -A POSTROUTING -p tcp --dport 587 -j MASQUERADE
$iptb -t nat -A POSTROUTING -p tcp --dport 995 -j MASQUERADE
By the side of the packet forwarding this is correctly activated ith the sysctl.conf
root@sagw:~# cat /proc/sys/net/ipv4/ip_forward
1
Is there something that I've forgotten?
Greetings
I explain a little bit how is the enviroment and what is the request to fully deploy the PMG at our organization.
The PMG is located at the DMZ, so is needded that this besides does the processing of the SMTP incomming mail, let us pass through and deliver traffic by it self the related with HTTPS (TCP/443), SMTP Submission (TCP/587) and the POP3 Secure (TCP/995) to the Exchange CAS located at the same DMZ (by the way of the SMTP TCP/25 traffic the PMG is delivering to the Exchange CAS without problems).
Even when I've configured the needed iptables DNAT rules and I've enabled the IPv4 packet forwarding for the previously explained inherent traffic to the Excchange CAS in the following manner but it doesn't route this traffic:
#! /usr/bin/bash
ipcmd=/usr/bin/ip
mdprb=/usr/sbin/modprobe
iptb=/usr/sbin/iptables
$ipcmd route delete 172.16.0.17/32 via 172.16.0.27
$ipcmd route add 172.16.0.17/32 via 172.16.0.27
$mdprb ip_nat_ftp
$mdprb ip_conntrack
$mdprb ip_conntrack_ftp
$iptb -t nat -F
$iptb -t nat -A PREROUTING -p icmp --icmp-type 8 -j ACCEPT
#$iptb -t nat -A PREROUTING -p tcp -m multiport --destination-port 443,587,995 -j ACCEPT
$iptb -t nat -A PREROUTING -p tcp --dport 443 -j ACCEPT
$iptb -t nat -A PREROUTING -p tcp --dport 587 -j ACCEPT
$iptb -t nat -A PREROUTING -p tcp --dport 995 -j ACCEPT
$iptb -t nat -A PREROUTING -i ens224 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A PREROUTING -i ens224 -p tcp --dport 587 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A PREROUTING -i ens224 -p tcp --dport 995 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A OUTPUT -p tcp --dport 443 -o ens224 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A OUTPUT -p tcp --dport 587 -o ens224 -j DNAT --to-destination 172.16.0.17
$iptb -t nat -A OUTPUT -p tcp --dport 995 -o ens224 -j DNAT --to-destination 172.16.0.17
#$iptb -t nat -A POSTROUTING -o lo -j MASQUERADE
$iptb -t nat -A POSTROUTING -p icmp --icmp-type 8 -j MASQUERADE
$iptb -t nat -A POSTROUTING -p tcp --dport 443 -j MASQUERADE
$iptb -t nat -A POSTROUTING -p tcp --dport 587 -j MASQUERADE
$iptb -t nat -A POSTROUTING -p tcp --dport 995 -j MASQUERADE
By the side of the packet forwarding this is correctly activated ith the sysctl.conf
root@sagw:~# cat /proc/sys/net/ipv4/ip_forward
1
Is there something that I've forgotten?
Greetings
Last edited: