iptables as gateway and POP3 SMTP ports

Question

when trying to open the ports 110 and 25 in my iptables for outlook-only users, i cant do it except by forwarding as such:

-I FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
-I FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT

but doing so allows the rest of the users in my lan to bypass my squid proxy. whats the proper syntax for these forwarding commands to just pen ports 110 and 25?

EDIT:

this is my current iptables file that im directly configuring. it works for now but im sure its far from perfect. currently users with no explicit proxy server cannot connect to the internet. outlook ports are working.

# Generated by iptables-save v1.3.5 on Fri Mar  9 13:59:24 2012
*nat
:PREROUTING ACCEPT [25448:1902369]
:POSTROUTING ACCEPT [29:1625]
:OUTPUT ACCEPT [786:56571]
-A POSTROUTING -o eth1 -j MASQUERADE 
COMMIT
# Completed on Fri Mar  9 13:59:24 2012
# Generated by iptables-save v1.3.5 on Fri Mar  9 13:59:24 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [1:68]
:OUTPUT DROP [0:0]
:LOGDROP - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 3128 -m state --state NEW -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A INPUT -j LOGDROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o eth1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT 
-A OUTPUT -o eth1 -p tcp -m tcp --dport 5190 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-I FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-I FORWARD -i eth0 -s 192.168.1.0/24 -p tcp --dport 110 -j ACCEPT
-I FORWARD -i eth0 -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
-A LOGDROP -j LOG 
-A LOGDROP -j DROP 
COMMIT
# Completed on Fri Mar  9 13:59:24 2012

Answer 1

Ok, let's start it again from the beginning.

Set your FORWARD chaing to ACCEPT (just in case)

iptables -P FORWARD ACCEPT

Clear your FORWARD chain

iptables -F FORWARD

Allow out your users to check smtp and pop

iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -p tcp --dport 110 -j ACCEPT

DO NOT add -d 192.168.1.0/24 -j ACCEPT as this is unsecure.

Let the responses in for these questions

iptables -A FORWARD -m state --state RELATED, ESTABLISHED -j ACCEPT

set your FORWARD chain policy back to DROP

iptables -P FORWARD DROP

Now, the first part should work. If not, then ip_forward is not enables.

echo 1 > /proc/sys/net/ipv4/ip_forward

Regarding the reboot problem. Iptables commands are not persistent, so you have to use a script, or use your Linux distribution built-in iptables administration script.

The easiest and less elegant way is to run this command when you are ok with your configuration and working.

iptables-save >/etc/myfirewall_config

And hook up and initscript which loads it back when booting up

iptables-restore </etc/myfirewall_config

Done.

If you still havve problems after all of these, post your NAT table (iptables -t nat -vnL)

Answer 2

'-I FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT' enables/opens access from (probably) yours egress iface to internal lan.

for allowing outgoing connection use - 'iptables -I FORWARD -s 192.168.11.0/24 -p tcp --dport 110 -j ACCEPT'.

be aware that enabling outgoing connection just like that is wrong, you give virus/worms/trojans to connect to internet via those ports. restrict it by specifying exact destination IP, of force users to use internal smtp server for outgoing connection with AUTH enabled.

if they need remote pop3, download mail via pop3 to a server inside your network and inform your users to use internal pop3 "mirror" copy.

there are also some pop3 proxies or some mail client can run pop3/smtp via proxy...