Hello, I had setup a Mailserver on a Fedora Core 6 system using 'Installing A LAMP System With Fedora Core 6' HOWTO long time back. Our internal network users are unable FTP to servers outside, nor are they able to check mail on the main domain web cum mail server using IMAP. It seems like all outgoing ports are blocked. I have not setup any firewall like iptables as given in the tutorial and am running the system at runlevel 5. Here is the output of iptables -L. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I have setup Squid Proxy which users use to browse the web using the default port 3128. Do I need to do something to allow internal network users to access ports in outside world. Thanks Amal
By "internal network users" do you mean user accounts on the FC6 system or do you mean other host systems (i.e., computers) on the LAN? Are you using your "Mailserver" as a gateway? Please include the routing table (e.g., `netstat -r` or `/sbin/route -n`). Are you using your "Mailserver" as a proxy too?
Yes, my mailserver is being used as a gateway and a Proxy too. Sorry, I should have given you more inputs: FC6 IP on internal network: 192.9.200.40 - All Windows PCs are on this IP series. IP connected to Modem: 192.168.1.2 Modem IP: 192.168.1.1 You are right "internal network users" means Windows PCs inside the LAN. I am able to do everything from the FC6 machine (ftp and use Imap etc) but not from any Windows machine on LAN. # netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.9.200.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth1 default gateway 0.0.0.0 UG 0 0 0 eth1 Yes Falko, I will check the router but I think it is some firewall issue as FC6 machine is able to use FTP/Imap to outside world - sorry I didn't specify that earlier. Something to do with Firewall or IP forwarding. iptables is ON for Runlevel 3 but the machine is on 5. Chkconfig for iptables returns: # chkconfig --list iptables iptables 0-off 1-off 2-on 3-on 4-on 5-off 6-off
Step #1: Are hosts able to ping the IMAP server? Using iptables to enable passive FTP and masquerading requires additional modules. Have you read Chapter 14 of the Linux Home Networking HOWTO? In particular, I recommend reading Section 13 & Section 14.7. Are you sure that hosts are using this system as their default gateway? (What device is serving DHCP on the LAN?) Please correct+clarify and include more detailed information (e.g., IP address of the IMAP server).
After thinking about this for a while, it occurred to me that this system can't possibly be functioning as the segment's gateway if the Netfilter chains are empty. That's when I realized that I hadn't read your original post completely... You'll need to correctly configure your default gateway (i.e., 192.168.1.1). You'll need to follow the directions in Chapter 14 of the Linux Home Networking HOWTO.
Hello epretorious, Yes, you are right, I set up masquerading and it worked. iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -t nat -F POSTROUTING iptables -t nat -A POSTROUTING -s 192.9.200.1/24 -o eth1 -j MASQUERADE But I am unable to understand how come after this setup also the iptables output seems to be show empty. Its like in my first post. I will modify this to open ports selectively. Thanks Amal
Eric, Just for completeness sake. None of the hosts in my Internal network were able to access my domain IMAP server nor able to ping any host beyond linux server. I had setup the NAT modules to load earlier. The server was not allowing anything to pass through it from the internal network. Thanks Amal
Congratulations! I recommend reading Section 6 of Chapter 14 of the Linux Home Networking HOWTO paying special attention to tables versus chains. Another helpful resource, the IPTABLES flowchart, seems to be missing from the HOWTO but can be found in David Baird's "Introduction to iptables". Does it work now, though?
