Shorewall users - Jan 2005 - Problem with bridging/routing on three interfaces and DNAT

Hello all,

I have a problem with external access to a postfix mailserver running on my
firewall as a mail-gateway. My setup with shorewall 2.2.0 rc4 is as follows:

eth0 is zone isf - this is an intranet to other companies
eth1 is zone loc - local network
eth2 is zone net - internet, fix ip adress

eth0 and eth1 are bridged

shorewall version
2.2.0-RC4

ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:04:76:f7:c5:fc brd ff:ff:ff:ff:ff:ff
    inet6 fe80::204:76ff:fef7:c5fc/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:04:38:74:76 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::250:4ff:fe38:7476/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:04:49:9a:37 brd ff:ff:ff:ff:ff:ff
    inet 212.60.254.66/29 brd 212.60.254.71 scope global eth2
    inet6 fe80::250:4ff:fe49:9a37/64 scope link
       valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
    link/ether 00:04:76:f7:c5:fc brd ff:ff:ff:ff:ff:ff
    inet 172.25.9.13/24 brd 172.25.9.255 scope global br0
    inet6 fe80::204:76ff:fef7:c5fc/64 scope link
       valid_lft forever preferred_lft forever

ip route show
212.60.254.64/29 dev eth2  proto kernel  scope link  src 212.60.254.66
172.25.9.0/24 dev br0  proto kernel  scope link  src 172.25.9.13
172.25.5.0/24 via 172.25.9.1 dev br0
172.25.7.0/24 via 172.25.9.1 dev br0
10.101.0.0/16 via 172.25.9.1 dev br0
10.103.0.0/16 via 172.25.9.1 dev br0
10.102.0.0/16 via 172.25.9.1 dev br0
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 212.60.254.65 dev eth2


I followed the guidelines in the Quickstart-Guide for a bridge which also
acts as a router, only adding that my system has to take mail from the
internet and to forward it to the internal mailsystem.

my zones-file:
net   Net
isf   ISF
loc   local

my hosts-file:
isf   br0:eth0
loc   br0:eth1

my interfaces-file:
-     br0    172.25.9.255
net   eth2   detect

my masq-file:
eth2    br0

part of my rules-file:
DNAT    net   loc:172.25.9.13   tcp   25  -  212.60.254.66

I tried to work without masquerading at all and setup an ACCEPT-rule like
ACCEPT  net    fw    tcp   25

BUT both ways my server does not respond to port 25 !

Any help much appreciated  !!!

Regards from Germany,
Philipp

-- 
+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben

Philipp Rusch wrote:
> 
> 
> part of my rules-file:
> DNAT    net   loc:172.25.9.13   tcp   25  -  212.60.254.66
> 
That is clearly nonsense since 172.25.9.13 is the IP address of *the
bridge* and hence is in the $FW zone and not in the ''loc''
zone.
> I tried to work without masquerading at all and setup an ACCEPT-rule like
> ACCEPT  net    fw    tcp   25
That should work if your mail server is listening on 212.60.254.66.
Check "netstat -tnap".
> 
> BUT both ways my server does not respond to port 25 !
> 
> Any help much appreciated  !!!
>
Look at your log!! And if you need additional help, please read the
support guide and pay particular attention to the part that reads THIS
IS IMPORTANT!!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom, thank you for your help !

I feel rather dumb: SuSEconfig inserted a second inet_interface-line
at the end of my postfix config, postfix was not listening on the right
interface at all !!!
> Philipp Rusch wrote:
> > 
> > 
> > part of my rules-file:
> > DNAT    net   loc:172.25.9.13   tcp   25  -  212.60.254.66
> > 
> 
> That is clearly nonsense since 172.25.9.13 is the IP address of *the
> bridge* and hence is in the $FW zone and not in the ''loc''
zone.
OK - I thought so - $FW:172.25.9.13 is working now.
> 
> > I tried to work without masquerading at all and setup an ACCEPT-rule
> like
> > ACCEPT  net    fw    tcp   25
Why is this not working if I do masquerading from internal ?
I read your warning that I have to use DNAT in case I do MASQ internal
hosts, I need to MASQ the internal mailserver at least. 
> 
> That should work if your mail server is listening on 212.60.254.66.
> Check "netstat -tnap".
> 
> > 
> > BUT both ways my server does not respond to port 25 !
> > 
> > Any help much appreciated  !!!
> >
> 
> Look at your log!!
I had no entries in there about port 25

 And if you need additional help, please read the
> support guide and pay particular attention to the part that reads THIS
> IS IMPORTANT!!
Thank you again.
Philipp
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
-- 
+++ GMX - die erste Adresse fr Mail, Message, More +++
1 GB Mailbox bereits in GMX FreeMail http://www.gmx.net/de/go/mail

Philipp Rusch wrote:
> 
> 
> 
> Why is this not working if I do masquerading from internal ?
> I read your warning that I have to use DNAT in case I do MASQ internal
> hosts, I need to MASQ the internal mailserver at least. 
> 
Phillip -- You can see what is going on on your system -- WE CAN''T. If
you will submit a proper problem report that includes the output of
"shorewall status" as an attachment, then I will try to help you. But
please don''t give us a few little details about your system then ask us
"Why is this not working?"

Also please include the output of "netstat -tnap".

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Philipp Rusch wrote:
> 
>>
>>>BUT both ways my server does not respond to port 25 !
>>>
Really?

[root@lists postfix]#  telnet 212.60.254.66 25
Trying 212.60.254.66...
Connected to 212.60.254.66 (212.60.254.66).
Escape character is ''^]''.
220 mailgate.fontargen.de ESMTP Postfix

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

It works since fifteen minutes, now.
> Philipp Rusch wrote:
> > 
> >>
> >>>BUT both ways my server does not respond to port 25 !
> >>>
> 
> Really?
> 
> [root@lists postfix]#  telnet 212.60.254.66 25
> Trying 212.60.254.66...
> Connected to 212.60.254.66 (212.60.254.66).
> Escape character is ''^]''.
> 220 mailgate.fontargen.de ESMTP Postfix
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
-- 
+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben

Philipp Rusch wrote:
> It works since fifteen minutes, now.
> 
>
Sorry -- I misinterpreted your last message to say that it still was not
working.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Philipp Rusch wrote:
Tom,
 
> > Why is this not working if I do masquerading from internal ?
This was mis-understandable: I did not mean *my* configuration at all
I meant reading your comment in the
"rules"-file:

#------------------------------------------------------------------------------
# WARNING: If you masquerade or use SNAT from a local system to the
internet, 
#          you cannot use an ACCEPT rule to allow traffic from the internet
to
#	   that system. You *must* use a DNAT rule
instead.
#-------------------------------------------------------------------------------#
> > I read your warning that I have to use DNAT in case I do MASQ internal
> > hosts, I need to MASQ the internal mailserver at least. 
This was a question for understanding the background of your warning above,
thats all.
> > 
> 
> Phillip -- You can see what is going on on your system -- WE
CAN''T. If
> you will submit a proper problem report that includes the output of
> "shorewall status" as an attachment, then I will try to help you.
But
> please don''t give us a few little details about your system then
ask us
> "Why is this not working?"
Everything is working now - RC4 works for me like a
charm.
> 
> Also please include the output of "netstat -tnap".
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> _______________________________________________
> 
Tank you again,
Philipp

-- 
+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben

Philipp Rusch wrote:
>>Philipp Rusch wrote:
> 
> 
> Tom,
>  
> 
>>>Why is this not working if I do masquerading from internal ?
> 
> 
> This was mis-understandable: I did not mean *my* configuration at all
> I meant reading your comment in the
> "rules"-file:
> 
>
#------------------------------------------------------------------------------
> # WARNING: If you masquerade or use SNAT from a local system to the
> internet, 
> #          you cannot use an ACCEPT rule to allow traffic from the internet
> to
> #	   that system. You *must* use a DNAT rule
> instead.
>
#-------------------------------------------------------------------------------#
> 
That refers to accessing servers *behind* the firewall. Servers running
on the firewall do not require DNAT; ACCEPT should be sufficient unless
the server is only listening on a local IP address; then you may wish to
use a REDIRECT rule (you can also use a DNAT rule as you apparently
discovered).
> 
>>>I read your warning that I have to use DNAT in case I do MASQ
internal
>>>hosts, I need to MASQ the internal mailserver at least. 
> 
> 
> This was a question for understanding the background of your warning above,
> thats all.
Hopefully it''s clear now.
> 
>>Phillip -- You can see what is going on on your system -- WE
CAN''T. If
>>you will submit a proper problem report that includes the output of
>>"shorewall status" as an attachment, then I will try to help
you. But
>>please don''t give us a few little details about your system
then ask us
>>"Why is this not working?"
> 
> 
> Everything is working now - RC4 works for me like a charm.
> 
Great!

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key