Problems with my implementation

[apvargas]

Hi,

I have a problem with the implementation of PMG, I have internal network clients, everything works ok. However, public network clients cannot connect to the mail server because in the PMG, which now has the public IP that the mail server had, it rejects requests to ports 587, 995.
These services listen on the mail server.
I configured iptables rules to redirect traffic from those ports to the mail server, however, doing so stops traffic from internal networks to the internet.

Any suggestions?

 

[Stoiko Ivanov]

hm - how did you implement the redirections?:
* on which system did you enter the iptable rules
* if on PMG - does the internal server also route traffic (at least for those 2 ports) via PMG?

maybe it would be easier to do the redirections on your gateway/router (and also redirect traffic for PMG (port 25 and maybe 26) there?

 

[apvargas]

hm - how did you implement the redirections?:
* on which system did you enter the iptable rules
* if on PMG - does the internal server also route traffic (at least for those 2 ports) via PMG?

maybe it would be easier to do the redirections on your gateway/router (and also redirect traffic for PMG (port 25 and maybe 26) there?

Hi,

Redirects were made as follows:

The following iptables rules were applied in the PMG:

iptables -t nat -F
echo "1"> / proc / sys / net / ipv4 / ip_forward
iptables -t nat -A PREROUTING -p tcp --dport 587 -j DNAT --to-destination X.X: X: X: 587 (private IP)
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to-destination X.X: X: X: 995 (private IP)
iptables -t nat -A POSTROUTING -j MASQUERADE


(* if on PMG - does the internal server also route traffic (at least for those 2 ports) via PMG?)

Do you indicate that the mail server should have the PMG as its gateway?


Thanks

 

[apvargas]

Hi Stoikov,

I am attaching a diagram of the IT scenario to the post. To clarify the approach.

Thanks

 

[Stoiko Ivanov]

hmm - any chance to forward port 587 and 995 on the AWS cloud-firewall to the appropriate servers? (that would be probably the simplest and cleanest setup)

Do you indicate that the mail server should have the PMG as its gateway?

depends - but if your PMG sends the packets after DNAT to your internal mail-server it receives the packets with a public source-ip (of the actual sender) - then it sends the reply to that (public) IP - which goes out it's default gateway (hence the return packets never arrive at PMG and are not masqueraded

I hope this explains it better.

 

[apvargas]

Yes, the answer is clearer. However, in the AWS firewall it is not feasible to perform the configuration mentioned, we can only configure a NAT gateway, associated with a VM by routing all traffic for the mentioned instance.
I will try installing an iptables in a separate instance that receives traffic for the IP and forwarding to the corresponding instance according to the port.

Very grateful for the answer.

 

[Stoiko Ivanov]

I will try installing an iptables in a separate instance that receives traffic for the IP and forwarding to the corresponding instance according to the port.

Sounds like a good plan! Please report back how it worked out (for others in a similar situation)

Thanks!

 

[apvargas]

Hi,

The solution implemented for this case was at the DNS level, publishing the new IP of the mail server to respond to the authentication requests and additionally the priorities of the MX records were changed.
In summary, it was not necessary to implement the IPTABLES firewall raised as an alternative solution.



Thank you

 

[Stoiko Ivanov]

Glad you found a solution.
Please mark the post as 'SOLVED' - it might help others in a similar situation

Thanks!