Philipp Rusch
2005-Jan-07 13:43 UTC
Problem with bridging/routing on three interfaces and DNAT
Hello all, I have a problem with external access to a postfix mailserver running on my firewall as a mail-gateway. My setup with shorewall 2.2.0 rc4 is as follows: eth0 is zone isf - this is an intranet to other companies eth1 is zone loc - local network eth2 is zone net - internet, fix ip adress eth0 and eth1 are bridged shorewall version 2.2.0-RC4 ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:76:f7:c5:fc brd ff:ff:ff:ff:ff:ff inet6 fe80::204:76ff:fef7:c5fc/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:04:38:74:76 brd ff:ff:ff:ff:ff:ff inet6 fe80::250:4ff:fe38:7476/64 scope link valid_lft forever preferred_lft forever 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:04:49:9a:37 brd ff:ff:ff:ff:ff:ff inet 212.60.254.66/29 brd 212.60.254.71 scope global eth2 inet6 fe80::250:4ff:fe49:9a37/64 scope link valid_lft forever preferred_lft forever 5: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue link/ether 00:04:76:f7:c5:fc brd ff:ff:ff:ff:ff:ff inet 172.25.9.13/24 brd 172.25.9.255 scope global br0 inet6 fe80::204:76ff:fef7:c5fc/64 scope link valid_lft forever preferred_lft forever ip route show 212.60.254.64/29 dev eth2 proto kernel scope link src 212.60.254.66 172.25.9.0/24 dev br0 proto kernel scope link src 172.25.9.13 172.25.5.0/24 via 172.25.9.1 dev br0 172.25.7.0/24 via 172.25.9.1 dev br0 10.101.0.0/16 via 172.25.9.1 dev br0 10.103.0.0/16 via 172.25.9.1 dev br0 10.102.0.0/16 via 172.25.9.1 dev br0 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 212.60.254.65 dev eth2 I followed the guidelines in the Quickstart-Guide for a bridge which also acts as a router, only adding that my system has to take mail from the internet and to forward it to the internal mailsystem. my zones-file: net Net isf ISF loc local my hosts-file: isf br0:eth0 loc br0:eth1 my interfaces-file: - br0 172.25.9.255 net eth2 detect my masq-file: eth2 br0 part of my rules-file: DNAT net loc:172.25.9.13 tcp 25 - 212.60.254.66 I tried to work without masquerading at all and setup an ACCEPT-rule like ACCEPT net fw tcp 25 BUT both ways my server does not respond to port 25 ! Any help much appreciated !!! Regards from Germany, Philipp -- +++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
Tom Eastep
2005-Jan-07 15:28 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> > > part of my rules-file: > DNAT net loc:172.25.9.13 tcp 25 - 212.60.254.66 >That is clearly nonsense since 172.25.9.13 is the IP address of *the bridge* and hence is in the $FW zone and not in the ''loc'' zone.> I tried to work without masquerading at all and setup an ACCEPT-rule like > ACCEPT net fw tcp 25That should work if your mail server is listening on 212.60.254.66. Check "netstat -tnap".> > BUT both ways my server does not respond to port 25 ! > > Any help much appreciated !!! >Look at your log!! And if you need additional help, please read the support guide and pay particular attention to the part that reads THIS IS IMPORTANT!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Philipp Rusch
2005-Jan-07 15:52 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Tom, thank you for your help ! I feel rather dumb: SuSEconfig inserted a second inet_interface-line at the end of my postfix config, postfix was not listening on the right interface at all !!!> Philipp Rusch wrote: > > > > > > part of my rules-file: > > DNAT net loc:172.25.9.13 tcp 25 - 212.60.254.66 > > > > That is clearly nonsense since 172.25.9.13 is the IP address of *the > bridge* and hence is in the $FW zone and not in the ''loc'' zone.OK - I thought so - $FW:172.25.9.13 is working now.> > > I tried to work without masquerading at all and setup an ACCEPT-rule > like > > ACCEPT net fw tcp 25Why is this not working if I do masquerading from internal ? I read your warning that I have to use DNAT in case I do MASQ internal hosts, I need to MASQ the internal mailserver at least.> > That should work if your mail server is listening on 212.60.254.66. > Check "netstat -tnap". > > > > > BUT both ways my server does not respond to port 25 ! > > > > Any help much appreciated !!! > > > > Look at your log!!I had no entries in there about port 25 And if you need additional help, please read the> support guide and pay particular attention to the part that reads THIS > IS IMPORTANT!!Thank you again. Philipp> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- +++ GMX - die erste Adresse fr Mail, Message, More +++ 1 GB Mailbox bereits in GMX FreeMail http://www.gmx.net/de/go/mail
Tom Eastep
2005-Jan-07 15:58 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> > > > Why is this not working if I do masquerading from internal ? > I read your warning that I have to use DNAT in case I do MASQ internal > hosts, I need to MASQ the internal mailserver at least. >Phillip -- You can see what is going on on your system -- WE CAN''T. If you will submit a proper problem report that includes the output of "shorewall status" as an attachment, then I will try to help you. But please don''t give us a few little details about your system then ask us "Why is this not working?" Also please include the output of "netstat -tnap". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Jan-07 16:08 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> >> >>>BUT both ways my server does not respond to port 25 ! >>>Really? [root@lists postfix]# telnet 212.60.254.66 25 Trying 212.60.254.66... Connected to 212.60.254.66 (212.60.254.66). Escape character is ''^]''. 220 mailgate.fontargen.de ESMTP Postfix -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Philipp Rusch
2005-Jan-07 16:12 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
It works since fifteen minutes, now.> Philipp Rusch wrote: > > > >> > >>>BUT both ways my server does not respond to port 25 ! > >>> > > Really? > > [root@lists postfix]# telnet 212.60.254.66 25 > Trying 212.60.254.66... > Connected to 212.60.254.66 (212.60.254.66). > Escape character is ''^]''. > 220 mailgate.fontargen.de ESMTP Postfix > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- +++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
Tom Eastep
2005-Jan-07 16:15 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> It works since fifteen minutes, now. > >Sorry -- I misinterpreted your last message to say that it still was not working. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Philipp Rusch
2005-Jan-07 16:21 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
> Philipp Rusch wrote:Tom,> > Why is this not working if I do masquerading from internal ?This was mis-understandable: I did not mean *my* configuration at all I meant reading your comment in the "rules"-file: #------------------------------------------------------------------------------ # WARNING: If you masquerade or use SNAT from a local system to the internet, # you cannot use an ACCEPT rule to allow traffic from the internet to # that system. You *must* use a DNAT rule instead. #-------------------------------------------------------------------------------#> > I read your warning that I have to use DNAT in case I do MASQ internal > > hosts, I need to MASQ the internal mailserver at least.This was a question for understanding the background of your warning above, thats all.> > > > Phillip -- You can see what is going on on your system -- WE CAN''T. If > you will submit a proper problem report that includes the output of > "shorewall status" as an attachment, then I will try to help you. But > please don''t give us a few little details about your system then ask us > "Why is this not working?"Everything is working now - RC4 works for me like a charm.> > Also please include the output of "netstat -tnap". > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ >Tank you again, Philipp -- +++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
Tom Eastep
2005-Jan-07 16:26 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:>>Philipp Rusch wrote: > > > Tom, > > >>>Why is this not working if I do masquerading from internal ? > > > This was mis-understandable: I did not mean *my* configuration at all > I meant reading your comment in the > "rules"-file: > > #------------------------------------------------------------------------------ > # WARNING: If you masquerade or use SNAT from a local system to the > internet, > # you cannot use an ACCEPT rule to allow traffic from the internet > to > # that system. You *must* use a DNAT rule > instead. > #-------------------------------------------------------------------------------# >That refers to accessing servers *behind* the firewall. Servers running on the firewall do not require DNAT; ACCEPT should be sufficient unless the server is only listening on a local IP address; then you may wish to use a REDIRECT rule (you can also use a DNAT rule as you apparently discovered).> >>>I read your warning that I have to use DNAT in case I do MASQ internal >>>hosts, I need to MASQ the internal mailserver at least. > > > This was a question for understanding the background of your warning above, > thats all.Hopefully it''s clear now.> >>Phillip -- You can see what is going on on your system -- WE CAN''T. If >>you will submit a proper problem report that includes the output of >>"shorewall status" as an attachment, then I will try to help you. But >>please don''t give us a few little details about your system then ask us >>"Why is this not working?" > > > Everything is working now - RC4 works for me like a charm. >Great! Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key