Hi Folks, Im trying to get SquirrelMail and Apache running on my firewall machine. It a two interface router/firewall system on Redhat 9. I am able to access the web site and Squirrelmail on the lan and can send mail fine. However I cannot access the websit extrnally and cannot recieve external email. I have the following rules re web and email DNAT net loc:192.168.0.1:80 tcp 80 - DNAT net loc:192.168.0.1:25 tcp 25 - Which I read as redirecting http and smtp requests to the internal NIC on the firewall machine. Is tihs right? What else do I need to do? Thanks in advance Scott..
Is the webserver on the firewall or on that 192.168.0.1 address? If it''s on the firewall you don''t want/need DNAT at all. You want to bind the webserver to the external address and then just ACCEPT net $FW:addr tcp 25,80 - --On Sunday, October 26, 2003 4:56 PM +1100 dotdoc <dotdoc@optusnet.com.au> wrote:> Hi Folks, > > Im trying to get SquirrelMail and Apache running on my firewall machine. > It a two interface router/firewall system on Redhat 9. I am able to > access the web site and Squirrelmail on the lan and can send mail fine. > However I cannot access the websit extrnally and cannot recieve external > email. > > I have the following rules re web and email > > DNAT net loc:192.168.0.1:80 tcp 80 - > DNAT net loc:192.168.0.1:25 tcp 25 - > > Which I read as redirecting http and smtp requests to the internal NIC on > the firewall machine. Is tihs right? What else do I need to do? > > Thanks in advance > > Scott.. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Undocumented Features quote of the moment... "It''s not the one bullet with your name on it that you have to worry about; it''s the twenty thousand-odd rounds labeled `occupant.''" --Murphy''s Laws of Combat
I have a similar setup - I had to permit 25 both in and out for TCP and ICMP. That and the DNAT (My mail server is in the DMZ) entry too. Send me a note if you want a clip from my rules file. ---------------------------------------------------------------------- Message: 1 Date: Sun, 26 Oct 2003 16:56:19 +1100 From: dotdoc <dotdoc@optusnet.com.au> Subject: [Shorewall-users] Allow SquirrelMail To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> Message-ID: <3F9B6203.3000803@optusnet.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Folks, Im trying to get SquirrelMail and Apache running on my firewall machine. It a two interface router/firewall system on Redhat 9. I am able to access the web site and Squirrelmail on the lan and can send mail fine. However I cannot access the websit extrnally and cannot recieve external email. I have the following rules re web and email DNAT net loc:192.168.0.1:80 tcp 80 - DNAT net loc:192.168.0.1:25 tcp 25 - Which I read as redirecting http and smtp requests to the internal NIC on the firewall machine. Is tihs right? What else do I need to do? Thanks in advance Scott..
On Sat, 2003-10-25 at 22:56, dotdoc wrote:> Hi Folks, > > Im trying to get SquirrelMail and Apache running on my firewall machine. > It a two interface router/firewall system on Redhat 9. I am able to > access the web site and Squirrelmail on the lan and can send mail fine. > However I cannot access the websit extrnally and cannot recieve external > email. > > I have the following rules re web and email > > DNAT net loc:192.168.0.1:80 tcp 80 - > DNAT net loc:192.168.0.1:25 tcp 25 - > > Which I read as redirecting http and smtp requests to the internal NIC > on the firewall machine.In Linux, IP addresses are owned by the host itself and not by the NIC. In any event, the above is wrong since if 192.168.0.1 is one of the firewall''s addresses then it is in the $FW zone, not the loc zone. ou should configure the SMTP server and Apache to listen on 0.0.0.0 and simply add: ACCEPT net $FW tcp 80,25> Is tihs right? What else do I need to do?You''ll probably want to send mail too, right? ACCEPT $FW net tcp 80 As a final note, you should be looking at the Shorewall log any time you have a connection problem. The log entries together with FAQ 17 will usually tell you what you have done wrong. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net