Shorewall users - May 2004 - redirect existing mail to server to other

Hi all,
	currently i have one mail server in my office but i want to redirect  
the port 25,110,143 to other mail server which is in the Datacenter.

DNAT	net		net:203.194.34.99	tcp	143,25,110

but it not working, i found this in the error message...

May 13 14:11:05 jerry kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1  
SRC=203.00.33.88 DST=203.194.34.99 LEN=60 TOS=0x10 PREC=0x00 TTL=55  
ID=31838 DF PROTO=TCP SPT=58115 DPT=143 WINDOW=65535 RES=0x00 SYN  
URGP=0

eth1 is my public IP interface and the eth0 is the private IP.

how i''m going to fix this problem. Thanks.
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

First of all, you don''t do 
DNAT	net	net:xxx.xxx.xxx.xxx

Such rules doesn''t work.

You have to use REDIRECT rules if I remember correctly.


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Liew Toh
Seng
Sent: Thursday, May 13, 2004 2:17 PM
To: Mailing List for Shorewall Users
Subject: [Shorewall-users] redirect existing mail to server to other

Hi all,
	currently i have one mail server in my office but i want to redirect

the port 25,110,143 to other mail server which is in the Datacenter.

DNAT	net		net:203.194.34.99	tcp	143,25,110

but it not working, i found this in the error message...

May 13 14:11:05 jerry kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1  
SRC=203.00.33.88 DST=203.194.34.99 LEN=60 TOS=0x10 PREC=0x00 TTL=55  
ID=31838 DF PROTO=TCP SPT=58115 DPT=143 WINDOW=65535 RES=0x00 SYN  
URGP=0

eth1 is my public IP interface and the eth0 is the private IP.

how i''m going to fix this problem. Thanks.
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

how to use the redirect rules...

On May 13, 2004, at 02:27 PM, Jason Png wrote:
> First of all, you don''t do
> DNAT	net	net:xxx.xxx.xxx.xxx
>
> Such rules doesn''t work.
>
> You have to use REDIRECT rules if I remember correctly.
>
>
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Liew  
> Toh
> Seng
> Sent: Thursday, May 13, 2004 2:17 PM
> To: Mailing List for Shorewall Users
> Subject: [Shorewall-users] redirect existing mail to server to other
>
> Hi all,
> 	currently i have one mail server in my office but i want to redirect
>
> the port 25,110,143 to other mail server which is in the Datacenter.
>
> DNAT	net		net:203.194.34.99	tcp	143,25,110
>
> but it not working, i found this in the error message...
>
> May 13 14:11:05 jerry kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1
> SRC=203.00.33.88 DST=203.194.34.99 LEN=60 TOS=0x10 PREC=0x00 TTL=55
> ID=31838 DF PROTO=TCP SPT=58115 DPT=143 WINDOW=65535 RES=0x00 SYN
> URGP=0
>
> eth1 is my public IP interface and the eth0 is the private IP.
>
> how i''m going to fix this problem. Thanks.
> ----------------------------------------------------------------------- 
> -
> -------
> Best Regards
> Liew Toh Seng
> Icq No: >> 36835809 <<
> MSN: >> tohseng@hotmail.com <<
> * .--.
> * |o_o |
> * |:_/ |
> * //
> * (| | )
> * /''\_ _/` The Internet Solution Company
> * \___)=(___   My Directory Sdn Bhd
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

REDIRECT net   143   tcp   143    -    203.194.34.99

i try to use Redirect but it still not working.




On May 13, 2004, at 02:29 PM, Liew Toh Seng wrote:
> how to use the redirect rules...
>
> On May 13, 2004, at 02:27 PM, Jason Png wrote:
>
>> First of all, you don''t do
>> DNAT	net	net:xxx.xxx.xxx.xxx
>>
>> Such rules doesn''t work.
>>
>> You have to use REDIRECT rules if I remember correctly.
>>
>>
>> -----Original Message-----
>> From: shorewall-users-bounces@lists.shorewall.net
>> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of  
>> Liew Toh
>> Seng
>> Sent: Thursday, May 13, 2004 2:17 PM
>> To: Mailing List for Shorewall Users
>> Subject: [Shorewall-users] redirect existing mail to server to other
>>
>> Hi all,
>> 	currently i have one mail server in my office but i want to redirect
>>
>> the port 25,110,143 to other mail server which is in the Datacenter.
>>
>> DNAT	net		net:203.194.34.99	tcp	143,25,110
>>
>> but it not working, i found this in the error message...
>>
>> May 13 14:11:05 jerry kernel: Shorewall:FORWARD:REJECT:IN=eth1  
>> OUT=eth1
>> SRC=203.00.33.88 DST=203.194.34.99 LEN=60 TOS=0x10 PREC=0x00 TTL=55
>> ID=31838 DF PROTO=TCP SPT=58115 DPT=143 WINDOW=65535 RES=0x00 SYN
>> URGP=0
>>
>> eth1 is my public IP interface and the eth0 is the private IP.
>>
>> how i''m going to fix this problem. Thanks.
>> ---------------------------------------------------------------------- 
>> --
>> -------
>> Best Regards
>> Liew Toh Seng
>> Icq No: >> 36835809 <<
>> MSN: >> tohseng@hotmail.com <<
>> * .--.
>> * |o_o |
>> * |:_/ |
>> * //
>> * (| | )
>> * /''\_ _/` The Internet Solution Company
>> * \___)=(___   My Directory Sdn Bhd
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Post: Shorewall-users@lists.shorewall.net
>> Subscribe/Unsubscribe:
>> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>> Support: http://www.shorewall.net/support.htm
>> FAQ: http://www.shorewall.net/FAQ.htm
>>
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Post: Shorewall-users@lists.shorewall.net
>> Subscribe/Unsubscribe:  
>> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>> Support: http://www.shorewall.net/support.htm
>> FAQ: http://www.shorewall.net/FAQ.htm
>>
> ----------------------------------------------------------------------- 
> --------
> Best Regards
> Liew Toh Seng
> Icq No: >> 36835809 <<
> MSN: >> tohseng@hotmail.com <<
> * .--.
> * |o_o |
> * |:_/ |
> * //
> * (| | )
> * /''\_ _/` The Internet Solution Company
> * \___)=(___   My Directory Sdn Bhd
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> how to use the redirect rules...
> 
> On May 13, 2004, at 02:27 PM, Jason Png wrote:
> 
>> First of all, you don''t do
>> DNAT    net    net:xxx.xxx.xxx.xxx
>>
>> Such rules doesn''t work.
>>
>> You have to use REDIRECT rules if I remember correctly.
You must use DNAT not REDIRECT -- I answered this very same question 
within the last week or two; check the archives.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

hi
i can''t find it from the archives. please help me. anyway i have try  
this but it still not working


DNAT            net     net:20.30.10.1       tcp     143  -

and

  add this routeback to eth1 in /etc/interfaces

#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net     eth1            detect         routefilter,norfc1918,routeback
loc     eth0            detect

i can''t find any error messages.








On May 13, 2004, at 09:23 PM, Tom Eastep wrote:
> Liew Toh Seng wrote:
>> how to use the redirect rules...
>> On May 13, 2004, at 02:27 PM, Jason Png wrote:
>>> First of all, you don''t do
>>> DNAT    net    net:xxx.xxx.xxx.xxx
>>>
>>> Such rules doesn''t work.
>>>
>>> You have to use REDIRECT rules if I remember correctly.
>
> You must use DNAT not REDIRECT -- I answered this very same question  
> within the last week or two; check the archives.
>
> -Tom
> --  
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> i can''t find it from the archives. please help me.
Look for my post in a thread entitled "forward net -> net"

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

currently my configuration is like this.

Firewall server ( it''s a mail server also )
Public IP(eth1): 10.0.1.1 default gw: 10.0.1.2
Internal IP(eth0):172.30.10.1

Mail Server ( in others public network )
Ip: 10.10.1.1


DNAT            net     net:10.10.1.1       tcp     143   -        
10.0.1.1:10.0.1.2


Chain net_dnat (1 references)
  pkts bytes target     prot opt in     out     source                
destination
     1    60 DNAT       tcp  --  *      *       0.0.0.0/0             
10.0.1.1    tcp dpt:143 to:10.10.1.1

Chain net_snat (1 references)
  pkts bytes target     prot opt in     out     source                
destination
     1    60 SNAT       tcp  --  *      *       0.0.0.0/0             
10.10.1.1    tcp dpt:143 to:10.0.1.2

i found the thread entitled "forward net -> net" and follow the  
instruction but it still not working.




On May 14, 2004, at 09:36 AM, Tom Eastep wrote:
> Liew Toh Seng wrote:
>
>> i can''t find it from the archives. please help me.
>
> Look for my post in a thread entitled "forward net -> net"
>
> -Tom
> --  
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> currently my configuration is like this.
> 
> Firewall server ( it''s a mail server also )
> Public IP(eth1): 10.0.1.1 default gw: 10.0.1.2
> Internal IP(eth0):172.30.10.1
> 
> Mail Server ( in others public network )
> Ip: 10.10.1.1
> 
> 
> DNAT            net     net:10.10.1.1       tcp     143   -        
> 10.0.1.1:10.0.1.2
> 
> 
> Chain net_dnat (1 references)
>  pkts bytes target     prot opt in     out     source                
> destination
>     1    60 DNAT       tcp  --  *      *       0.0.0.0/0             
> 10.0.1.1    tcp dpt:143 to:10.10.1.1
> 
> Chain net_snat (1 references)
>  pkts bytes target     prot opt in     out     source                
> destination
>     1    60 SNAT       tcp  --  *      *       0.0.0.0/0             
> 10.10.1.1    tcp dpt:143 to:10.0.1.2
> 
> i found the thread entitled "forward net -> net" and follow
the
> instruction but it still not working.
> 
You certainly didn''t follow them very well. The rule you want is:

DNAT net  net:10.10.1.1	tcp 143 - 10.0.1.1:10.0.1.1

WARNING: FROM THE POINT OF VIEW OF 10.10.1.1, THIS RULE MAKES ALL 
FORWARDED MAIL APPEAR TO COME FROM 10.0.1.1 RATHER THAN THE ORIGINAL CLIENT.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> WARNING: FROM THE POINT OF VIEW OF 10.10.1.1, THIS RULE MAKES ALL 
> FORWARDED MAIL APPEAR TO COME FROM 10.0.1.1 RATHER THAN THE ORIGINAL 
> CLIENT.
> 
Make that "...ALL FORWARDED CONNECTIONS APPEAR..."

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net