Expose local service to single WAN IP address

NethServer Version: NethServer Enterprise 7.9.2009
Module: your_module

the problem is: We need to allow access to SMTP (Postfix) from the internet, to only a specific WAN ip Public Address.
Our NethServer is running Postfix Service,
We have a WAN with multiple IPs (Alias already created)
On System > Services we have enabled Postfix Access on RED network (WAN). Here we can’t choose a single IP Alias, only the whole network.
Doing this, SMTP services are accessible from any of the WAN IPs.
We have tried creating Firewall Rules to allow SMTP service only on a single IP, but it seems that the rules are not working, I think because the services is a local NethServer service, so it’s not a standard WAN to LAN server.
How can we expose a NethServer local service to only a single Public IP?


1 Like

IMVHO this is a case still not (yet) managed by development team.

Your current node have multiple wan interfaces configured?
Could you provide at least more info about your current setup? Feel free to obscure public Ip addresses and hostnames with something like a.a.a.a and buddy.mydomain.ext placeholders.

Disclaimer: I am no part of the project/development team in any way, so what I wrote is my personal knowledge and opinion. I may totally be wrong :slight_smile:

1 WAN (red) interface, with ip a.a.a.1, a.a.a.2, a.a.a.3
We already use NAT rules to expose services on our servers behind LAN (green).
On nethserver, the postfix service is up and running, but we need to expose SMTP service (TCP/25) only on IP a.a.a.1, and not on a.a.a.2 or a.a.a.3.
Actually on postfix configuration, we can only choose on which interface service is listening, so only green/LAN (and SMTP is NOT reachable from WAN), or green/LAN + red/WAN (and SMTP is reachable from WAN). But when we set green+red, postfix is reachable on every IP of the WAN (a.a.a.1, a.a.a.2, a.a.a.3).
We have tried to add firewall rules to prevent access to SMTP from IP a.a.a.2 or a.a.a.3, but it does not work.

Hi @intercom

Your config / setup is not officially supported, but is doable. :slight_smile:

AFAIK, Postfix itself is fairly flexible, when configured directly (conf file), and would allow setting the interface directly - or even the IP.

NethServer 7.x still uses the e-smith Template system, so this can be managed using a custom-template.
This is update and reboot safe, at least while running NS7x. NS8 is a completly different animal, but also there, a different solution can be used.

My 2 cents

1 Like

I believe you can edit the postfix/main.cfg to restrict the transport destination ip

Ok, I will try with manual editing of the postfix configuration.

If it works you will need to create a custom E-smith template so it won’t be overwritten

It will be nice to add this feature in main code.