Shorewall users - May 2002 - The kind of port forwarding Tom hates...:-)

Hi all!

I have a problem that I thought I could solve by reading
http://www.shorewall.net/FAQ.htm#faq2, but it won''t do the trick for
me.
Here''s the deal. I have three machines at home: one Linux box with
shorewall 1.2.10, one WinXP client and one AD server with Exchange
handling email for my domains. I am port forwarding port 25 from the
internet to the Exchange server, so I am raising foxes in my hen
house...;-) Even though I agree on the security implications, my tiny
apartment and my relationship will not tolerate a more secure setup with
more PC''s and a DMZ. The problem is this:

I have some cron jobs running that email reports to root, and I want
them delivered to my account on the Exchange server, however, an
MX-lookup for my domain will return the address of the external if on
the firewall. I want the fw''s attempts to send email to my domain
forwarded to the internal server. I''ve tried:

# Redirect fw''s attempt to send mail to bolibompa on eth0 to eth1, so
to
speak...
#
ACCEPT          $FW      loc:192.168.1.2        tcp     25      -
212.13.25.216

where 192.168.1.2 is the Exchange server on eth1, and 212.13.25.216 is
the external ip on eth0

and

loc     eth1    192.168.1.255   dhcp,routestopped,multi

But it doesn''t do the trick. Have I missed something here?

Any input appreciated!

TIA,
Orjan

On Fri, 10 May 2002, =D6rjan Johansson wrote:
> #
> ACCEPT          $FW      loc:192.168.1.2        tcp     25      -
> 212.13.25.216
>
> where 192.168.1.2 is the Exchange server on eth1, and 212.13.25.216 is
> the external ip on eth0
>
> and
>
> loc     eth1    192.168.1.255   dhcp,routestopped,multi
>
> But it doesn''t do the trick. Have I missed something here?
>
Yes -- DNAT from the firewall system doesn''t work except with VERY
recent
versions of the Netfilter kernel code (e.g., Patch-o-matic) and has NEVER
been tried with Shorewall (at least I haven''t tried it).

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Thanx Tom. Good thing zoneedit has backup mail support! ;-)

Orjan
> #
> ACCEPT          $FW      loc:192.168.1.2        tcp     25      -
> 212.13.25.216
>
> where 192.168.1.2 is the Exchange server on eth1, and 212.13.25.216 is
> the external ip on eth0
>
> and
>
> loc     eth1    192.168.1.255   dhcp,routestopped,multi
>
> But it doesn''t do the trick. Have I missed something here?
>
Yes -- DNAT from the firewall system doesn''t work except with VERY
recent
versions of the Netfilter kernel code (e.g., Patch-o-matic) and has
NEVER
been tried with Shorewall (at least I haven''t tried it).

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net