My need: Considering a Sendmail relay running on the firewall (IP: 200.1.1.1), I need all TCP/SMTP outgoing connections to the Internet appers to be from another ISP allocated external IP (200.1.1.2), not the main FW''s IP. As stated in Docs (http://shorewall.net/shorewall_quickstart_guide.htm#id2485947), I read Setup Guide to try to solve my problem but I cannot figure out how to change the outgoing connections originated on the firewall to use another external IP instead of the main IP for the firewall, only for TCP and SMTP connections. Did I miss something ? Any links to read on ? Thanks [Guilsson]
Subject: [Shorewall-users] FW outgoing connection with multiple public IPs> My need: > Considering a Sendmail relay running on the firewall (IP: 200.1.1.1), > I need all TCP/SMTP outgoing connections to the Internet appers to be > from another ISP allocated external IP (200.1.1.2), not the main FW''s > IP. > > As stated in Docs > (http://shorewall.net/shorewall_quickstart_guide.htm#id2485947), I > read Setup Guide to try to solve my problem but I cannot figure out > how to change the outgoing connections originated on the firewall to > use another external IP instead of the main IP for the firewall, only > for TCP and SMTP connections. > > Did I miss something ? > Any links to read on ? > > Thanks > [Guilsson]I''d set the mail server ip as the primary ip for the interface and use example Example 24 from: http://www.shorewall.net/Documentation.htm to setup the second ip to handle the local lan''s traffic. Your just reversing the order the ip addresses are assigned. That should get the mail to look right on the way out, the lan traffic should appear to come from the other ip. Might want to check on binding sendmail to the first ip only. Jerry Vonau
On Thu, 2004-11-18 at 18:47 -0600, Jerry Vonau wrote:> Might want to check on binding sendmail to the first ip only.That would be my recommendation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-11-18 at 17:28 -0800, Tom Eastep wrote:> On Thu, 2004-11-18 at 18:47 -0600, Jerry Vonau wrote: > > > Might want to check on binding sendmail to the first ip only. > > That would be my recommendation.And if your relay runs Postfix, the relevant parameter is ''smtp_bind_address'' in /etc/postfix/main.cf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 18 Nov 2004 18:47:10 -0600, Jerry Vonau <jvonau@shaw.ca> wrote:> I''d set the mail server ip as the primary ip for the interface and use example > Example 24 from: http://www.shorewall.net/Documentation.htm to setup > the second ip to handle the local lan''s traffic. Your just reversing the order > the ip addresses are assigned. That should get the mail to look right on the > way out, the lan traffic should appear to come from the other ip. > Might want to check on binding sendmail to the first ip only.I added the secondary IP: 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:e0:18:38:ac:cb brd ff:ff:ff:ff:ff:ff inet 200.157.95.66/26 brd 200.157.95.127 scope global eth0 inet 200.157.95.70/26 brd 200.157.95.127 scope global secondary eth0:70 Changed shorewall.cfg: ADD_SNAT_ALIASES=Yes Changed /etc/shorewall/masq: eth0:70 127.0.0.1 200.157.95.70 Changed sendmail.cf: O DaemonPortOptions=Port=smtp,Addr=127.0.0.1., Name=MTA O DaemonPortOptions=Port=smtp,Addr=200.157.95.70, Name=MTA O DaemonPortOptions=Port=smtp,Addr=10.200.4.1, Name=MTA But the connections still going thru primary''s IP address: (edited:line too long) root # lsof -itcp:25 COMMAND NAME sendmail_localhost.localdomain:smtp_(LISTEN) sendmail_200-157-95-70.intelignet.com.br:smtp_(LISTEN) sendmail_10.200.4.1:smtp_(LISTEN) sendmail_200-157-95-66.intelignet.com.br:57451->200.198.179.242:smtp_(ESTABLISHED) sendmail_200-157-95-66.intelignet.com.br:57451->200.198.179.242:smtp_(ESTABLISHED) sendmail_200-157-95-66.intelignet.com.br:57452->mx.ig.com:smtp_(ESTABLISHED) sendmail_200-157-95-66.intelignet.com.br:57452->mx.ig.com:smtp_(ESTABLISHED) sendmail_200-157-95-66.intelignet.com.br:57453->mmsc.vivomms.com.br:smtp_(SYN_SENT) Is the masq change above correct ? I used 127.0.0.1 because only local originated connections needs ti change source IP. Do I need to swap FW IPs (.70 as primary and .66 as secondary) to make this work ? Thanks in advance [Guilsson]
On Fri, 2004-11-19 at 00:04 -0300, Guilsson wrote:> > I added the secondary IP: > > 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:e0:18:38:ac:cb brd ff:ff:ff:ff:ff:ff > inet 200.157.95.66/26 brd 200.157.95.127 scope global eth0 > inet 200.157.95.70/26 brd 200.157.95.127 scope global secondary eth0:70 > > Changed shorewall.cfg: > ADD_SNAT_ALIASES=Yes > > Changed /etc/shorewall/masq: > eth0:70 127.0.0.1 200.157.95.70 > > Changed sendmail.cf: > O DaemonPortOptions=Port=smtp,Addr=127.0.0.1., Name=MTA > O DaemonPortOptions=Port=smtp,Addr=200.157.95.70, Name=MTA > O DaemonPortOptions=Port=smtp,Addr=10.200.4.1, Name=MTA > > But the connections still going thru primary''s IP address: > (edited:line too long) > root # lsof -itcp:25 > COMMAND NAME > sendmail_localhost.localdomain:smtp_(LISTEN) > sendmail_200-157-95-70.intelignet.com.br:smtp_(LISTEN) > sendmail_10.200.4.1:smtp_(LISTEN) > sendmail_200-157-95-66.intelignet.com.br:57451->200.198.179.242:smtp_(ESTABLISHED) > sendmail_200-157-95-66.intelignet.com.br:57451->200.198.179.242:smtp_(ESTABLISHED) > sendmail_200-157-95-66.intelignet.com.br:57452->mx.ig.com:smtp_(ESTABLISHED) > sendmail_200-157-95-66.intelignet.com.br:57452->mx.ig.com:smtp_(ESTABLISHED) > sendmail_200-157-95-66.intelignet.com.br:57453->mmsc.vivomms.com.br:smtp_(SYN_SENT) > > Is the masq change above correct ? I used 127.0.0.1 because only local > originated connections needs ti change source IP. > > Do I need to swap FW IPs (.70 as primary and .66 as secondary) to make > this work ?This is a sendmail configuration problem -- forget Shorewall and concentrate on configuring sendmail properly. Sorry that I can''t help you with that but I''ve run Postfix for too long to remember much about sendmail... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --
On Thu, 2004-11-18 at 19:18 -0800, Tom Eastep wrote:> > This is a sendmail configuration problem -- forget Shorewall and > concentrate on configuring sendmail properly. Sorry that I can''t help > you with that but I''ve run Postfix for too long to remember much about > sendmail...But if you need to get this running quickly, then you wan t in /etc/shorewall/masq: if a b tcp 25 Where: if = Your external interface a = The IP address that your incorrectly-configured sendmail is using as a source IP. b - The IP address that you wish you knew how to make sendmail use as its source address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-11-18 at 19:35 -0800, Tom Eastep wrote:> On Thu, 2004-11-18 at 19:18 -0800, Tom Eastep wrote: > > > > > This is a sendmail configuration problem -- forget Shorewall and > > concentrate on configuring sendmail properly. Sorry that I can''t help > > you with that but I''ve run Postfix for too long to remember much about > > sendmail... > > But if you need to get this running quickly, then you wan t > in /etc/shorewall/masq: > > if a b tcp 25 > > Where: > > if = Your external interface > a = The IP address that your incorrectly-configured sendmail > is using as a source IP. > b - The IP address that you wish you knew how to make sendmail > use as its source address.And of course this should be *before* any other entries in /etc/shorewall/masq... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> This is a sendmail configuration problem -- forget Shorewall and > concentrate on configuring sendmail properly. Sorry that I can''t help > you with that but I''ve run Postfix for too long to remember much about > sendmail...Ok. I will look further on sendmail, thanks. Another question quite related to this: -Supose I''m in a ssh session at the firewall: 1) If I telnet to some external router, I want arrive there with source IP 200.157.95.66. 2) If I ssh to some external *nix, I want arrive there with source IP 200.157.95.70. Can I accomplish this in Shorewall ? [Guilsson]
On Fri, 2004-11-19 at 00:53 -0300, Guilsson wrote:> > This is a sendmail configuration problem -- forget Shorewall and > > concentrate on configuring sendmail properly. Sorry that I can''t help > > you with that but I''ve run Postfix for too long to remember much about > > sendmail... > > Ok. I will look further on sendmail, thanks. > > Another question quite related to this: > -Supose I''m in a ssh session at the firewall: > 1) If I telnet to some external router, I want arrive there with > source IP 200.157.95.66. > 2) If I ssh to some external *nix, I want arrive there with source IP > 200.157.95.70. > > Can I accomplish this in Shorewall ? >Provided that you know the IP addresses of all external hosts involved, you can use the technique that I described in my post last night (application-specific entries in /etc/shorewall/masq). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > Another question quite related to this: > > -Supose I''m in a ssh session at the firewall: > > 1) If I telnet to some external router, I want arrive there with > > source IP 200.157.95.66. > > 2) If I ssh to some external *nix, I want arrive there with source IP > > 200.157.95.70. > > > > Can I accomplish this in Shorewall ? > > > > Provided that you know the IP addresses of all external hosts involved, > you can use the technique that I described in my post last night > (application-specific entries in /etc/shorewall/masq).It worked. Notice that, for firewall originated connections, this is incorrect: eth0 lo <secondary-public-ip> tcp 22 The correct is: eth0 eth0 <secondary-public-ip> tcp 22 [Guilsson]