Shorewall users - Oct 2004 - Transparent Redirect to external host

Hello all,

After perusing the documentation, faqs, and mailing list archives, I have
not been able to find a way to do the following.  I''m hoping
"you" can help.


I want to transparently redirect all outbound SMTP connections to an SMTP
server of *my* choice.   This way, regardless of what a user on my network
has set their SMTP server to be within their MUA, I will redirect their
outbound mail to the server I want them to use.

This will:
1.  Prevent any "won''t relay" issues arising from users
trying to use an
outgoing mail server that won''t accept connections from my network. 
(i.e.
any (properly configured) mail server other than my ISP''s....)

2.  Allow me to redirect all outbound SMTP to my own mail server (from which
I can log outbound mail activity, etc.).


How can I do this using Shorewall?

Any caveats in doing this that you know of?


TIA for your help.

Regards,
Kevin Traas

On Thu, 2004-10-14 at 15:05, Kevin Traas wrote:
> Hello all,
> 
> After perusing the documentation, faqs, and mailing list archives, I have
> not been able to find a way to do the following.  I''m hoping
"you" can help.
> 
> 
> I want to transparently redirect all outbound SMTP connections to an SMTP
> server of *my* choice.   This way, regardless of what a user on my network
> has set their SMTP server to be within their MUA, I will redirect their
> outbound mail to the server I want them to use.
> 
> This will:
> 1.  Prevent any "won''t relay" issues arising from users
trying to use an
> outgoing mail server that won''t accept connections from my
network.  (i.e.
> any (properly configured) mail server other than my ISP''s....)
> 
Yep
> 2.  Allow me to redirect all outbound SMTP to my own mail server (from
which
> I can log outbound mail activity, etc.).
> 
Yep
> 
> How can I do this using Shorewall?
#Outbound SMTP on ports 25 and 587 are silently redirected to the
Desired SMTP Relay
ACCEPT          loc          fw:10.0.0.253        tcp     25
REDIRECT        loc          25                   tcp     25
ACCEPT          loc          fw:10.0.0.253        tcp     587
REDIRECT        loc          25                   tcp     587
ACCEPT		fw	     net	          tcp     25
DNAT            loc          net:[SMTP_IP_ADD]    tcp     25

NOTE: I use a Local Postfix Instance and redirect all SMTP traffic to
that for throttled delivery.

> 
> Any caveats in doing this that you know of?
> 
Make sure that all your other rules are good, and that your network is
secure, or your SMTP relay will dutifully forward all the spam that a
cracker can send it.
> 
> TIA for your help.
> 
> Regards,
> Kevin Traas
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Terry Gilsenan wrote:
> On Thu, 2004-10-14 at 15:05, Kevin Traas wrote:
>
>>Hello all,
>>
>>After perusing the documentation, faqs, and mailing list archives, I
have
>>not been able to find a way to do the following.  I''m hoping
"you" can
help.
>>
>>
>>I want to transparently redirect all outbound SMTP connections to an
SMTP
>>server of *my* choice.   This way, regardless of what a user on my
network
>>has set their SMTP server to be within their MUA, I will redirect their
>>outbound mail to the server I want them to use.
>>
>>This will:
>>1.  Prevent any "won''t relay" issues arising from
users trying to use an
>>outgoing mail server that won''t accept connections from my
network.  (i.e.
>>any (properly configured) mail server other than my ISP''s....)
>>
>
> Yep
>
>
>>2.  Allow me to redirect all outbound SMTP to my own mail server (from
which
>>I can log outbound mail activity, etc.).
>>
>
> Yep
>
>>How can I do this using Shorewall?
>
>
> #Outbound SMTP on ports 25 and 587 are silently redirected to the
> Desired SMTP Relay
> ACCEPT          loc          fw:10.0.0.253        tcp     25
> REDIRECT        loc          25                   tcp     25
> ACCEPT          loc          fw:10.0.0.253        tcp     587
> REDIRECT        loc          25                   tcp     587
> ACCEPT		fw	     net	          tcp     25
> DNAT            loc          net:[SMTP_IP_ADD]    tcp     25
>
The ACCEPT rules above are redundant -- DNAT and REDIRECT each create a
companion ACCEPT rule.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBbpAXO/MAbZfjDLIRAjBzAJwNJwvS568xkP8ZDwl6HpOTLCcOoACggX3g
OpiyNjW5H/F4Z3uDRC/CoEY=GEpq
-----END PGP SIGNATURE-----

And if I want to redirect local originated SMTP to another server, can
I do with Shorewall ?

Today I use a proxy (http://proxy.sourceforge.net/):
/usr/local/bin/proxy -S 127.0.0.1 -s 25 -D <dmz-ip> -d 25

[Guilsson]


On Thu, 14 Oct 2004 07:41:27 -0700, Tom Eastep <teastep@shorewall.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Terry Gilsenan wrote:
> > On Thu, 2004-10-14 at 15:05, Kevin Traas wrote:
> >
> >>Hello all,
> >>
> >>After perusing the documentation, faqs, and mailing list archives,
I have
> >>not been able to find a way to do the following.  I''m
hoping "you" can
> help.
> >>
> >>
> >>I want to transparently redirect all outbound SMTP connections to
an SMTP
> >>server of *my* choice.   This way, regardless of what a user on my
network
> >>has set their SMTP server to be within their MUA, I will redirect
their
> >>outbound mail to the server I want them to use.
> >>
> >>This will:
> >>1.  Prevent any "won''t relay" issues arising
from users trying to use an
> >>outgoing mail server that won''t accept connections from my
network.  (i.e.
> >>any (properly configured) mail server other than my
ISP''s....)
> >>
> >
> > Yep
> >
> >
> >>2.  Allow me to redirect all outbound SMTP to my own mail server
(from
> which
> >>I can log outbound mail activity, etc.).
> >>
> >
> > Yep
> >
> >>How can I do this using Shorewall?
> >
> >
> > #Outbound SMTP on ports 25 and 587 are silently redirected to the
> > Desired SMTP Relay
> > ACCEPT          loc          fw:10.0.0.253        tcp     25
> > REDIRECT        loc          25                   tcp     25
> > ACCEPT          loc          fw:10.0.0.253        tcp     587
> > REDIRECT        loc          25                   tcp     587
> > ACCEPT                fw           net                  tcp     25
> > DNAT            loc          net:[SMTP_IP_ADD]    tcp     25
> >
> 
> The ACCEPT rules above are redundant -- DNAT and REDIRECT each create a
> companion ACCEPT rule.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBbpAXO/MAbZfjDLIRAjBzAJwNJwvS568xkP8ZDwl6HpOTLCcOoACggX3g
> OpiyNjW5H/F4Z3uDRC/CoEY> =GEpq
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guilsson   wrote:
> And if I want to redirect local originated SMTP to another server, can
> I do with Shorewall ?
>
> Today I use a proxy (http://proxy.sourceforge.net/):
> /usr/local/bin/proxy -S 127.0.0.1 -s 25 -D <dmz-ip> -d 25
>
If your kernel config has CONFIG_IP_NF_NAT_LOCAL=Yes (which SuSE kernels
do not), you can use this rule:

DNAT	fw	dmz:<dmz-ip>	tcp	25	-	127.0.0.1

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD4DBQFBbrvfO/MAbZfjDLIRAsjxAKCa9ScM3qu/0lA+nsOqqhWqgCDyCQCYtBVl
9ldWAPL2UcLiKFxXO32zPQ==0cEb
-----END PGP SIGNATURE-----

On Thu, 14 Oct 2004 10:48:16 -0700, Tom Eastep <teastep@shorewall.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Guilsson   wrote:
> > And if I want to redirect local originated SMTP to another server, can
> > I do with Shorewall ?
> >
> > Today I use a proxy (http://proxy.sourceforge.net/):
> > /usr/local/bin/proxy -S 127.0.0.1 -s 25 -D <dmz-ip> -d 25
> >
> 
> If your kernel config has CONFIG_IP_NF_NAT_LOCAL=Yes (which SuSE kernels
> do not), you can use this rule:
Is this a setting that I can set to Yes or No at runtime (sysctl
setting, /proc, etc)  ?
I tried this to find out (I''m newbie on kernel re-compile):
------
 # grep -r CONFIG_IP_NF_NAT_LOCAL /usr/src/linux-2.4/*
Documentation/Configure.help:CONFIG_IP_NF_NAT_LOCAL
arch/ppc/configs/apus_defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
arch/ppc/configs/briq_defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
arch/ppc/configs/common_defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
arch/ppc/configs/ibmchrp_defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
arch/ppc/configs/pal4_defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
arch/ppc/configs/pmac_defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
arch/ppc/defconfig:# CONFIG_IP_NF_NAT_LOCAL is not set
configs/kernel-2.4.20-i686-bigmem.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-athlon-smp.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-athlon.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i386-BOOT.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i386-smp.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i386.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i586-smp.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i586.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i686-smp.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-i686.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-x86_64-smp.config:CONFIG_IP_NF_NAT_LOCAL=m
configs/kernel-2.4.20-x86_64.config:CONFIG_IP_NF_NAT_LOCAL=m
include/linux/autoconf.h:#define CONFIG_IP_NF_NAT_LOCAL 1
include/linux/netfilter_ipv4/ip_nat.h:#ifndef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/Config.in:      bool ''    NAT of local connections
(READ HELP)'' CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_core.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_core.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_core.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_core.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_rule.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_rule.c:#ifndef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_rule.c:               DEBUGP("DNAT:
CONFIG_IP_NF_NAT_LOCAL not enabled\n");
net/ipv4/netfilter/ip_nat_standalone.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_standalone.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_standalone.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
net/ipv4/netfilter/ip_nat_standalone.c:#ifdef CONFIG_IP_NF_NAT_LOCAL
------

I use RH9 (2.4.20-31.9) and iptables v1.2.7a.

Thanks
[Guilsson]
> 
> DNAT    fw      dmz:<dmz-ip>    tcp     25      -       127.0.0.1
> 
> - -Tom

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guilsson   wrote:
> On Thu, 14 Oct 2004 10:48:16 -0700, Tom Eastep
<teastep@shorewall.net>
wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Guilsson   wrote:
>>
>>>And if I want to redirect local originated SMTP to another server,
can
>>>I do with Shorewall ?
>>>
>>>Today I use a proxy (http://proxy.sourceforge.net/):
>>>/usr/local/bin/proxy -S 127.0.0.1 -s 25 -D <dmz-ip> -d 25
>>>
>>
>>If your kernel config has CONFIG_IP_NF_NAT_LOCAL=Yes (which SuSE kernels
>>do not), you can use this rule:
>
>
> Is this a setting that I can set to Yes or No at runtime (sysctl
> setting, /proc, etc)  ?
> I tried this to find out (I''m newbie on kernel re-compile):
>
Guillsson -- Why don''t you try the rule that I posted and see if it
works for you rather than spamming 1,000+ people with this question?

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBcIQdO/MAbZfjDLIRAlywAJ9jhixPE8UJNgqPQS88tcVZHot8AwCdGZ61
ko4HKJ36tRd9Zd2y8VhbDL4=5M6W
-----END PGP SIGNATURE-----

> Guillsson -- Why don''t you try the rule that I posted and see if
it
> works for you rather than spamming 1,000+ people with this question?
Really thanks.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guilsson   wrote:
>>Guillsson -- Why don''t you try the rule that I posted and see
if it
>>works for you rather than spamming 1,000+ people with this question?
>
>
> Really thanks.
Well, the rule works on my Fedora Core 2 system -- if it doesn''t work
for you then please say so; I have absolutely no idea what your post was
trying to say (shorewall restart didn''t work -- shorewall restart
worked
but the rule didn''t produce the right results -- your firewall exploded
when you tried to restart shorewall). You apparently did a recursive
grep for the CONFIG_IP_NF_NAT_LOCAL option in your linux kernel source
tree but we have no idea what prompted you to do that!!!!

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBcIleO/MAbZfjDLIRApCrAJ92LdrxdLqzKeTSayNwfuZJlxnO3QCdEty4
CV61FcReu+JvYP3CF2jjttc=/ET8
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guilsson   wrote:
> My question was (about CONFIG_IP_NF_NAT_LOCAL):
>
>>Is this a setting that I can set to Yes or No at runtime (sysctl
>>setting, /proc, etc)  ?
>
>
> Ie, how to know, in advance, if my kernel have CONFIG_IP_NF_NAT_LOCAL
> configured to Yes ?
>
> Anyway ... forget. This question is off-topic. I''ll try kernel
mailing
lists.
>
And my question was -- why are you asking this question rather than
simply trying the rule? If you are running a recent Shorewall version
and have a current Shorewall restore script ("shorewall save") then
what
is the harm in adding the rule and trying "shorewall restart"?

If you insist on knowing ahead of time then recent Kernels have
/proc/config.gz which you can look at to see what options your kernel
was built with.

gateway:~ # gzip -dc < /proc/config.gz | grep CONFIG_IP_NF_NAT_LOCAL
# CONFIG_IP_NF_NAT_LOCAL is not set
gateway:~ #

This shows that my kernel on ''gateway'' does NOT have the
required option...

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBcJJCO/MAbZfjDLIRAg7BAKCs3TGautrNTmUbWJywvuiuAO+aBwCglB7b
Lo1CdztVprDJ/02/YW18fGQ=Hhm/
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Guilsson   wrote:
>
>>>On Thu, 14 Oct 2004 10:48:16 -0700, Tom Eastep
<teastep@shorewall.net>
>
> wrote:
>
>>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>>Hash: SHA1
>>>>
>>>>Guilsson   wrote:
>>>>
>>>>
>>>>>And if I want to redirect local originated SMTP to another
server, can
>>>>>I do with Shorewall ?
>>>>>
>>>>>Today I use a proxy (http://proxy.sourceforge.net/):
>>>>>/usr/local/bin/proxy -S 127.0.0.1 -s 25 -D <dmz-ip> -d
25
>>>>>
>>>>
>>>>If your kernel config has CONFIG_IP_NF_NAT_LOCAL=Yes (which SuSE
kernels
>>>>do not), you can use this rule:
>>>
>>>
>>>Is this a setting that I can set to Yes or No at runtime (sysctl
>>>setting, /proc, etc)  ?
>>>I tried this to find out (I''m newbie on kernel re-compile):
>>>
>
> Guillsson -- Why don''t you try the rule that I posted and see if
it
> works for you rather than spamming 1,000+ people with this question?
I wish that I could start this thread over again but I can''t -- my
apology for the snippy response and for omitting this key piece of
information:

   If you add the rule that I posted to your rules file and Shorewall
   can be successfully restarted, then your kernel contains
   CONFIG_IP_NF_NAT_LOCAL support -- if it fails (and you''ve typed the
   rule correctly) than your kernel is missing that support.

In addition to /proc/config.gz, you can also look at the .config file
used to build your kernel (if you have access to it -- it is in the
top-level kernel source directory). In RedHat Kernel Source RPMs, there
are a number of config file in the "Configuration" directory under the
top level source directory; you have to pick the one that was used to
build your particular kernel but they probably all set
CONFIG_IP_NF_NAT_LOCAL the same way.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBcTN5O/MAbZfjDLIRAoyMAJ0RJ0HcFvE/2cHHBU1KGzB0L6b93gCdFUQ5
CBJMlXxtCS7W22Gnrwcn9uE=vFuJ
-----END PGP SIGNATURE-----