Unreachable mailing service from abroad

There is some situations when domestic pepole want to use services from abroad. In my case one of my friends wants to use a hungarian e-mail service, freemail.hu, from Germany, but service area of Freemail is limited to Hungary for security reasons (only POP3 protocol is affected). We do not know how long this security restriction will take, unfortuantelly. So today's question is that: what should we do to download my friend's mails via POP3 protocol from abroad against the security restrictions? Well, there are a lot of potential solution but because I have several Linux servers around the Internet and, to be honest, I love them I will use a Linux server instead. Let me show how.

Since my favorite Linux distibution is Ubuntu, commands and others described here was tested only on Ubuntu 14.04.2 LTS with exactly one IPv4 addressed network interface. However, they should work with all widely used distributions there are absolute no garantees to work, of couse.

First of all, there are some term which must be clear to understand the below.

The first is Linux IP forwarding feature. IP forwarding is a Linux kernel feature, synonim for "routing". In home or small office environment routing and NAT can be ambigous. Routing (IP forwarding) is different from NAT (Network Adress Translation). The main responsibility of NAT is to remap one address space into another by modifing address information in the IP header. Esentially, NAT often used in home routers to connect local private network (local area network a.k.a. LAN) to the Internet which may cause this misunderstanding. In contrast with NAT, IP forwarding does not touch the address part of the IP header, but responsible to receive IP packets on NIC 1 (network interface card) and then send it out on another NIC to connect the two network. In a home network, people use these two features together in a SOHO (small offfice, home office) router without knowing of the real behavior of it.

The other important term is iptables. iptables is the Linux's packet filter service, with which we can define firewall rules and can do packet manipulation activities. Not very suprising we will use 'iptables' command line utility to create rules. Note that this post do not intend to describe iptables in details so for more information please check 'iptables' and 'iptables-extensions' man pages or this. In the below picture you can see the process flow of iptables. In our point of view the point is that iptables consists of tables, chains and rules whereby IP packages' destination can be modified and redirected to another host whithout parties knowing it.

iptables process flow

To achive our goal we need to use some iptables functionality: 'nat' table, 'PREROUTING' and 'POSTROUTING' chains. 'nat' table is used to translate the packet's source or destination fields. There are four target of this table: 'DNAT', 'SNAT', 'MASQUERADE' and 'REDIRECT'. For us, only 'DNAT' and 'MASQUERADE' targets are important.

With 'DNAT' target the destionation address can be modified. This is valid in the 'PREROUTING' chain of 'nat' table. Practically speaking this target redirect packages to the other machine. 'SNAT' is very similar, but it influence the source address which is used at replying.

'MASQUERADE' target works in the 'POSTROUTING' chain and it is responsible to mask/hide the original source of the package. Actually, 'MASQUERADE' is similar to 'SNAT' in the sense that both of them modify the source address but we use 'MASQUERADE' in case firewall/router use dynamic IP address while 'SNAT' only in a static addressed environment. Used by 'MASQUARADE', if the network interface goes down, connections are forgotten prepared for getting another IP address when interface bring up again. Allocate new IP address for each connections is a standard procedure since PSTN modems, but today is also a widely used method mainly connections over PPoE (Point-to-Point Protocol over Ethernet) like ADSL (Asymmetric Digital Subscriber Line).

'nat' table has three predefined chains where the before mentioned targets work: 'PREROUTING', 'OUTPUT' and 'POSTROUTING'. 'PREROUTING', as the name implies, responsible for packets that just arrived at the network interface. So far, no routing decision has taken place therefore it is not yet known whether be interpreted locally or whether it would be forwarded to another machine located at another network interface. In the below picture you can see the process flow of the 'nat' table.

nat table flow

By this point, we are already familiarized with the most improtant technologies with which we will work so let't get to the point: to the command prompt.

With the first command we check if IP forward is already turned on and if not, the second one will turn it on immediatelly.

root@cloud-7270:~# cat /proc/sys/net/ipv4/ip_forward


root@cloud-7270:~# echo "1" > /proc/sys/net/ipv4/ip_forward

To make IP forwarding's status permanent (survives a reboot), uncomment the following line in /etc/sysctl.conf file. Of course, this step is optional, since the IP forward is already active, but in general it is necessary.

net.ipv4.ip_forward = 1

The last thing to do is creating the iptables rules:

root@cloud-7270:~# iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination

root@cloud-7270:~# iptables -t nat -A POSTROUTING -j MASQUERADE

I think the above two lines don't need any explanations, they shoud be trivial now.

If everything went fine we can reach the remote host (, TCP/110) on our TCP/110 port and with this the original issue is solved and the e-mail service provider is reachable via POP3 from abroad.

Oh, and by the way, I almost forgot to draw attention: by default, iptables configuration is not persistent between reboots so take care of it too.