[NTLUG:Discuss] Port forwarding with IPCop

Rob Apodaca rapodaca at raacc.com
Sat Feb 28 07:55:13 CST 2004 

On Fri, 2004-02-27 at 21:26, Bobby Wrenn wrote:
> More info:
> 
> When I telnet to port 110 on my old server I get "+OK POP3 
> bird.nest.home v7.64 server ready". When I do the same on the new box on 
> the other side of the DMZ I get "telnet: connect to address 192.168.2.2: 
> Connection refused. I can telnet to other active ports on 192.168.2.2 
> from the internal side of the DMZ. This indicates that the firewall is 
> blocking (I don't think it is) or that I am missing something (a POP3 
> service) on the public side of the DMZ.
> 
> Am I on the right track? I can't find any running process related to 
> POP3 on the old system.
> 
> Still in the fog
> Bobby
> Bobby Wrenn wrote:
> > I am have trouble with my new DMZ setup.
> > 
> > My old network looked like this
> > 
> >  WORLD
> >    |
> > Firewall (running Apache and Postfix)
> >    |
> > Internal LAN
> > 
> > Local (Internal LAN) clients were collecting mail from Firewall with 
> > POP3 clients.
> > 
> > Old network was running ipchains and it has been static for at least 4 
> > years. Translation "I can't remember how I did it."
> > 
> > New network looks like this
> > 
> >         WORLD
> >           |
> >        Firewall machine with 3 NICs running IPCop Static IP
> >           |
> >      _____|_________
> >     |               |
> > Internal LAN        |
> > 192.168.1.0/24    Servers (Apache and Postfix)
> >                   192.168.2.0/24
> > 
> > On the firewall I have the following set up for forwarding.
> > 
> > TCP DEFAULT IP : 25(SMTP) > 192.168.2.2 : 25(SMTP)
> > TCP DEFAULT IP : 110(POP3) > 192.168.2.2 : 110(POP3)
> > TCP DEFAULT IP : 80(HTTP) > 192.168.2.2 : 80(HTTP)
> > 
> > I think these are correct. However, I can't retrieve mail from Servers 
> > on Internal LAN. The error indicates "Connection refused".
> > 
> > I'm sure I'm missing something simple. But it's been a few years since I 
> > have tried to mess with this. What am I missing?

I would recommend getting things working by IP first...then get dns
working.

Here are a few things to verify:

1. Since 192.168.1.0 and 192.168.2.0 are on different subnets, your
firewall will need to be able to route packets between them...Make sure
there are no firewall rules preventing packets or ports between those
private networks.

2. When you say "can't find running process for pop", you can check this
by doing netstat -an | grep :110
You should get:
tcp        0      0 0.0.0.0:110             0.0.0.0:* LISTEN
If not, pop is not running.

Install tcpdump and traceroute and use them to figure out if your
attempts to connect to the various ports are reaching the server. Also,
check the logs on your firewall and server for hints.

Cheers,
-Rob

More information about the Discuss mailing list