NAT Rule + Firewall Rule?

Yogo · Tue Nov 12, 2013 2:06 am

Hi All,

Silly question but just want to confirm I understand the flow diagram correctly...

Scenario:

I have an exchange server with the SMTP receive connector listening on port 25. ISP blocks 25 (in and out) so I have to run it on another port.

so, I have to create a dst-nat rule like the below to accept mail from the outside world on 9025:

ros code

chain=dstnat action=dst-nat to-addresses=10.0.0.208 to-ports=25 protocol=tcp in-interface=WAN dst-port=9025

I then have to create a firewall rule to open up 9025 on the WAN interface:

ros code

chain=forward action=accept protocol=tcp in-interface=WAN dst-port=9025

Is this correct?

Thanks in advance

CTrain · Tue Nov 12, 2013 2:55 am

Yes that is correct however in my experience the IP-> firewall forward rule is not required when a dst-nat is in place.

Also the SMTP on mail servers typically only work on port 25 so with your current configuration the mail will be sent but not received to your server other server will send to the block port 25. You will most likely need a Mail reflector out on the web to receive the mail on port 25 then send it to the router on port 9025 to have the router nat it back to port 25 internally.

Yogo · Tue Nov 12, 2013 3:06 am

You will most likely need a Mail reflector out on the web to receive the mail on port 25 then send it to the router on port 9025

Thanks CTrain, mail reflector is already in-place...

So the firewall filter is redundant when a dst-nat rule is in play then?? ... intereseting, as the flow diagram that I saw (can't remember link) showed that once it passes through the NAT portion, it gets passed to the forward chain of the filters...

CTrain · Tue Nov 12, 2013 3:12 am

When you set up the firewall initially there are accept commands for established and related connections. I believe that because those rules that the packets are accepted.

Yogo · Tue Nov 12, 2013 3:16 am

When you set up the firewall initially there are accept commands for established and related connections. I believe that because those rules that the packets are accepted.

ahh ... thanks!

Rudios · Tue Nov 12, 2013 3:27 am

The firewall filter rule should use port 25. Since dstnat is performed before the filter rule gets checked.
And whether it is actually needed depends on the existing firewall filter rules. If those are correct you will need the rule . Established and related won't be enough because there are is no established connection when initiated from outside.

Yogo · Tue Nov 12, 2013 3:55 am

The firewall filter rule should use port 25. Since dstnat is performed before the filter rule gets checked.
And whether it is actually needed depends on the existing firewall filter rules. If those are correct you will need the rule . Established and related won't be enough because there are is no established connection when initiated from outside.

AHA! That makes some more sense... Filters are applied after translation, and therefor the internal port should be referenced!

Many thanks Rudios! (again)