On Fri, Sep 28, 2012 at 2:37 PM, Dragan Jurkovic <dragan@jurkovic.ca> wrote:> Hi, > > I have IMAPS server which is behind firewall and accessible from > outside by simple DNAT rule: > > DNAT net loc:192.168.201.X:993 tcp NNNNN > > NNNNN is non-standard port. > I am havng trouble configuring shorewall to allow same access form > inside. Even after thorough reading of DNAT documentation I am still > puzzled. > I tried: > > DNAT loc loc:192.168.201.X:993 tcp NNNNN - 192.168.201.Y > > in rules file where 192.168.201.X is local IMAPS server and > 192.168.201.Y is firewall internal address. > I even tried to add: > > eth0:192.168.201.X eth0 192.168.201.Y tcp NNNNN > > in masq file (eth0 is internal interface on firewall), but connection > always times out. As I can see shorewall is not blocking anything, but > packets are lost somewhere. > Is there any way to achieve this?Forgot to mention - eth0 does have routeback option and I do have split DNS for my firewall - i.e. it resolves to 192.168.201.Y internally.> > Thanks, > Dragan------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/28/2012 11:53 AM, Dragan Jurkovic wrote:> Forgot to mention - eth0 does have routeback option and I do have > split DNS for my firewall - i.e. it resolves to 192.168.201.Y > internally.If you have split DNS then why doesn;t it resolve to 192.168.2.1.X??? That way, the router would not have to do anything. -Tom PS -- and it''s really silly to use X and Y when you are referring to private addresses. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On Fri, Sep 28, 2012 at 3:01 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 09/28/2012 11:53 AM, Dragan Jurkovic wrote: > >> Forgot to mention - eth0 does have routeback option and I do have >> split DNS for my firewall - i.e. it resolves to 192.168.201.Y >> internally. > > If you have split DNS then why doesn;t it resolve to 192.168.2.1.X??? > That way, the router would not have to do anything.What I am trying to achieve is to access IMAP server via smartphone mail application - so in smartphone I have IMAPS server set to "firewall.mycompany.com:NNNNN". I am trying to have same configuration when accessing IMAPS server via smartphone connected internally via WiFi (therefore getting 192.168.201 address) - I don''t want to change smartphone config every time it connects to internal network. Internally firewall.mycompany.com resolves to 192.168.201 address. All other internal mail clients are using internal address of IMAPS server, of course.> > -Tom > PS -- and it''s really silly to use X and Y when you are referring to > private addresses.True - silly me!> -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/28/2012 12:17 PM, Dragan Jurkovic wrote:> On Fri, Sep 28, 2012 at 3:01 PM, Tom Eastep <teastep@shorewall.net> wrote: >> On 09/28/2012 11:53 AM, Dragan Jurkovic wrote: >> >>> Forgot to mention - eth0 does have routeback option and I do have >>> split DNS for my firewall - i.e. it resolves to 192.168.201.Y >>> internally. >> >> If you have split DNS then why doesn;t it resolve to 192.168.2.1.X??? >> That way, the router would not have to do anything. > > What I am trying to achieve is to access IMAP server via smartphone > mail application - so in smartphone I have IMAPS server set to > "firewall.mycompany.com:NNNNN". I am trying to have same configuration > when accessing IMAPS server via smartphone connected internally via > WiFi (therefore getting 192.168.201 address) - I don''t want to change > smartphone config every time it connects to internal network. > Internally firewall.mycompany.com resolves to 192.168.201 address. All > other internal mail clients are using internal address of IMAPS > server, of course. > >> >> -Tom >> PS -- and it''s really silly to use X and Y when you are referring to >> private addresses.And 192.168.2.201 is an address on the Shorewall Router? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On Fri, Sep 28, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 09/28/2012 12:17 PM, Dragan Jurkovic wrote: >> On Fri, Sep 28, 2012 at 3:01 PM, Tom Eastep <teastep@shorewall.net> wrote: >>> On 09/28/2012 11:53 AM, Dragan Jurkovic wrote: >>> >>>> Forgot to mention - eth0 does have routeback option and I do have >>>> split DNS for my firewall - i.e. it resolves to 192.168.201.Y >>>> internally. >>> >>> If you have split DNS then why doesn;t it resolve to 192.168.2.1.X??? >>> That way, the router would not have to do anything. >> >> What I am trying to achieve is to access IMAP server via smartphone >> mail application - so in smartphone I have IMAPS server set to >> "firewall.mycompany.com:NNNNN". I am trying to have same configuration >> when accessing IMAPS server via smartphone connected internally via >> WiFi (therefore getting 192.168.201 address) - I don''t want to change >> smartphone config every time it connects to internal network. >> Internally firewall.mycompany.com resolves to 192.168.201 address. All >> other internal mail clients are using internal address of IMAPS >> server, of course. >> >>> >>> -Tom >>> PS -- and it''s really silly to use X and Y when you are referring to >>> private addresses. > > And 192.168.2.201 is an address on the Shorewall Router?IMAPS server 192.168.201.6, Shorewall router 192.168.201.42 (firewall.mycompany.com resolves internally to that address) IMAPS is litening to normal IMAPS port 993. rules file: DNAT loc loc:192.168.201.6:993 tcp NNNNN - 192.168.201.42 masq file: eth0:192.168.201.6 eth0 192.168.201.42 tcp NNNNN> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/28/2012 12:33 PM, Dragan Jurkovic wrote:> On Fri, Sep 28, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net> wrote: >> On 09/28/2012 12:17 PM, Dragan Jurkovic wrote: >>> On Fri, Sep 28, 2012 at 3:01 PM, Tom Eastep <teastep@shorewall.net> wrote: >>>> On 09/28/2012 11:53 AM, Dragan Jurkovic wrote: >>>> >>>>> Forgot to mention - eth0 does have routeback option and I do have >>>>> split DNS for my firewall - i.e. it resolves to 192.168.201.Y >>>>> internally. >>>> >>>> If you have split DNS then why doesn;t it resolve to 192.168.2.1.X??? >>>> That way, the router would not have to do anything. >>> >>> What I am trying to achieve is to access IMAP server via smartphone >>> mail application - so in smartphone I have IMAPS server set to >>> "firewall.mycompany.com:NNNNN". I am trying to have same configuration >>> when accessing IMAPS server via smartphone connected internally via >>> WiFi (therefore getting 192.168.201 address) - I don''t want to change >>> smartphone config every time it connects to internal network. >>> Internally firewall.mycompany.com resolves to 192.168.201 address. All >>> other internal mail clients are using internal address of IMAPS >>> server, of course. >>> >>>> >>>> -Tom >>>> PS -- and it''s really silly to use X and Y when you are referring to >>>> private addresses. >> >> And 192.168.2.201 is an address on the Shorewall Router? > > IMAPS server 192.168.201.6, Shorewall router 192.168.201.42 > (firewall.mycompany.com resolves internally to that address) > IMAPS is litening to normal IMAPS port 993. > rules file: DNAT loc loc:192.168.201.6:993 tcp > NNNNN - 192.168.201.42 > masq file: eth0:192.168.201.6 eth0 192.168.201.42 tcp NNNNN >You want rules: DNAT loc loc:192.168.201.6:993 tcp NNNN - 192.168.201.42 And masq: eth0:192.168.201.6 192.168.201.0/24 192.168.201.42 tcp 993 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On Fri, Sep 28, 2012 at 3:44 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 09/28/2012 12:33 PM, Dragan Jurkovic wrote: >> On Fri, Sep 28, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net> wrote: >>> On 09/28/2012 12:17 PM, Dragan Jurkovic wrote: >>>> On Fri, Sep 28, 2012 at 3:01 PM, Tom Eastep <teastep@shorewall.net> wrote: >>>>> On 09/28/2012 11:53 AM, Dragan Jurkovic wrote: >>>>> >>>>>> Forgot to mention - eth0 does have routeback option and I do have >>>>>> split DNS for my firewall - i.e. it resolves to 192.168.201.Y >>>>>> internally. >>>>> >>>>> If you have split DNS then why doesn;t it resolve to 192.168.2.1.X??? >>>>> That way, the router would not have to do anything. >>>> >>>> What I am trying to achieve is to access IMAP server via smartphone >>>> mail application - so in smartphone I have IMAPS server set to >>>> "firewall.mycompany.com:NNNNN". I am trying to have same configuration >>>> when accessing IMAPS server via smartphone connected internally via >>>> WiFi (therefore getting 192.168.201 address) - I don''t want to change >>>> smartphone config every time it connects to internal network. >>>> Internally firewall.mycompany.com resolves to 192.168.201 address. All >>>> other internal mail clients are using internal address of IMAPS >>>> server, of course. >>>> >>>>> >>>>> -Tom >>>>> PS -- and it''s really silly to use X and Y when you are referring to >>>>> private addresses. >>> >>> And 192.168.2.201 is an address on the Shorewall Router? >> >> IMAPS server 192.168.201.6, Shorewall router 192.168.201.42 >> (firewall.mycompany.com resolves internally to that address) >> IMAPS is litening to normal IMAPS port 993. >> rules file: DNAT loc loc:192.168.201.6:993 tcp >> NNNNN - 192.168.201.42 >> masq file: eth0:192.168.201.6 eth0 192.168.201.42 tcp NNNNN >> > > You want rules: > > DNAT loc loc:192.168.201.6:993 tcp NNNN - 192.168.201.42 > > And masq: > > eth0:192.168.201.6 192.168.201.0/24 192.168.201.42 tcp 993Thank you very much Tom, It works now. I overlooked the fact that IMAPS server listens on 993. Regards, Dragan> > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html