I''ve run into a problem with 1.2.10 and would like to request a more experienced person''s advice. My setup.. I''m Static NAT my boxes behind the firewall. 12.98.39.218 -> 10.10.10.10 12.98.39.219 -> 10.10.10.20 I''ve got two domain names that are setup here. Domain1.com - ip 218 Domain2.com - ip 219 When I try to send mail from Domain1.com to Domain2.com the firewall stops me with a loc2loc:REJECT log message. So I go into the policy file and set loc loc ACCEPT That doesn''t work so I try making a rule ACCEPT loc loc tcp smtp That doesn''t work either.. I find a work around by making a common entry like so: run_iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 25 -j ACCEPT Now for obvious reason this isn''t ideal. I''d like to work with shorewall system for easier usage and maintance as I like the setup and how its done right now. What I see is the problem/bug/feature is that loc2loc is not used in either the INPUT, OUTPUT or FORWARD chains. It should be in the FORWARD chain though. Am I correct or did I miss some configuration somewhere? Thank you for any help you can give. ian
Ian, On Wed, 3 Apr 2002, ian wrote:> I''ve run into a problem with 1.2.10 and would like to request a more > experienced person''s advice. > > My setup.. > > I''m Static NAT my boxes behind the firewall. > > 12.98.39.218 -> 10.10.10.10 > 12.98.39.219 -> 10.10.10.20 > > I''ve got two domain names that are setup here. > Domain1.com - ip 218 > Domain2.com - ip 219 > > When I try to send mail from Domain1.com to Domain2.com the firewall > stops me with a loc2loc:REJECT log message. >So you''ve specified ''Yes'' in the "ALL" column in /etc/shorewall/nat -- good.> So I go into the policy file and set loc loc ACCEPT > > That doesn''t work so I try making a rule > > ACCEPT loc loc tcp smtp > > That doesn''t work either..It is a cardinal rule in Shorewall (and stated in the documentation) that if you have an ACCEPT policy and something doesn''t work then adding more ACCEPT rules will NEVER make it work.> > I find a work around by making a common entry like so: > run_iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 25 -j ACCEPT > > Now for obvious reason this isn''t ideal. I''d like to work with > shorewall system for easier usage and maintance as I like the setup > and how its done right now. > > What I see is the problem/bug/feature is that loc2loc is not used > in either the INPUT, OUTPUT or FORWARD chains. It should be in > the FORWARD chain though. Am I correct or did I miss some configuration > somewhere? >It will be if you specify the ''multi'' option for eth1 in /etc/shorewall/interfaces. And now an editorial note: Your setup hints strongly of the problems discussed in FAQs 2 and 2a and would be MUCH cleaner if you would use Proxy ARP rather than static NAT. In my view, any setup that requires a router to route packets out to the same interface that they came in on is just plain broken. I use static NAT in my own network but I have also implemented views in my DNS configuration so that my domain names resolve to local addresses for local clients and network addresses for network clients. If you would do that then your two local systems could communicate directly without having to involve your firewall. Alternatively, given that there are only two systems to deal with, entries in /etc/hosts would also be a fine solution. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thu, Apr 04, 2002 at 05:59:33AM -0800, Tom Eastep wrote:> Ian, > > On Wed, 3 Apr 2002, ian wrote: > > > I''ve run into a problem with 1.2.10 and would like to request a more > > experienced person''s advice. > > > > My setup.. > > > > I''m Static NAT my boxes behind the firewall. > > > > 12.98.39.218 -> 10.10.10.10 > > 12.98.39.219 -> 10.10.10.20 > > > > I''ve got two domain names that are setup here. > > Domain1.com - ip 218 > > Domain2.com - ip 219 > > > > When I try to send mail from Domain1.com to Domain2.com the firewall > > stops me with a loc2loc:REJECT log message. > > > > So you''ve specified ''Yes'' in the "ALL" column in /etc/shorewall/nat -- > good.Correct.> > So I go into the policy file and set loc loc ACCEPT > > > > That doesn''t work so I try making a rule > > > > ACCEPT loc loc tcp smtp > > > > That doesn''t work either.. > > It is a cardinal rule in Shorewall (and stated in the documentation) that > if you have an ACCEPT policy and something doesn''t work then adding more > ACCEPT rules will NEVER make it work.Figured but had to try anyways.> > I find a work around by making a common entry like so: > > run_iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 25 -j ACCEPT > > > > Now for obvious reason this isn''t ideal. I''d like to work with > > shorewall system for easier usage and maintance as I like the setup > > and how its done right now. > > > > What I see is the problem/bug/feature is that loc2loc is not used > > in either the INPUT, OUTPUT or FORWARD chains. It should be in > > the FORWARD chain though. Am I correct or did I miss some configuration > > somewhere? > > > > It will be if you specify the ''multi'' option for eth1 in > /etc/shorewall/interfaces. > > And now an editorial note: > > Your setup hints strongly of the problems discussed in FAQs 2 and 2a and > would be MUCH cleaner if you would use Proxy ARP rather than static NAT. > In my view, any setup that requires a router to route packets out to the > same interface that they came in on is just plain broken. I use static > NAT in my own network but I have also implemented views in my DNS > configuration so that my domain names resolve to local addresses for local > clients and network addresses for network clients. If you would do that > then your two local systems could communicate directly without having to > involve your firewall. Alternatively, given that there are only two > systems to deal with, entries in /etc/hosts would also be a fine solution.But if your configuration is two independent mail server systems ie. domain1.com & domain2.com, and you want to run them both behind one firewall they are not allowed to send mail back and forth then. I''m confused. How will Proxy ARP help versus static NAT? I will look into doing a DNS like that. For the time being we are using the ISPs DNS (quick way to get up and going) versus the time consuming piece of bringing up a dual view DNS. I read those FAQs (2 & 2a) but didn''t register with me that this was my environment. Many Thanks ian> > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net
On Thu, 4 Apr 2002, ian wrote:> On Thu, Apr 04, 2002 at 05:59:33AM -0800, Tom Eastep wrote: > > > > > > > It will be if you specify the ''multi'' option for eth1 in > > /etc/shorewall/interfaces.Did you try this suggestion? -- your current config should work if you do.> > > > And now an editorial note: > > > > Your setup hints strongly of the problems discussed in FAQs 2 and 2a and > > would be MUCH cleaner if you would use Proxy ARP rather than static NAT. > > In my view, any setup that requires a router to route packets out to the > > same interface that they came in on is just plain broken. I use static > > NAT in my own network but I have also implemented views in my DNS > > configuration so that my domain names resolve to local addresses for local > > clients and network addresses for network clients. If you would do that > > then your two local systems could communicate directly without having to > > involve your firewall. Alternatively, given that there are only two > > systems to deal with, entries in /etc/hosts would also be a fine solution. > > But if your configuration is two independent mail server systems > ie. domain1.com & domain2.com, and you want to run them both behind one > firewall they are not allowed to send mail back and forth then. > > I''m confused. How will Proxy ARP help versus static NAT?Under Proxy ARP, you would configure the two servers with their EXTERNAL IP addresses and the same subnet mask and default gateway as your external firewall interface. DNS lookups using your ISPs DNS will then give you the correct IP address for either system and the two servers can communicate without any help from the firewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Fri, 5 Apr 2002, Randy Millis wrote:> Tom, > > >I have also implemented views in my DNS > > > configuration so that my domain names resolve to local addresses for > local > > > clients and network addresses for network clients. If you would do that > > Can you tell me where I can learn more about views in DNS? >DNS and BIND, 4th Edition, Paul Ablitz & Cricket Lui, O,Reilly, April 2001, ISBN 0-596-00158-4. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net