Philipp Rusch
2005-Jan-07 13:43 UTC
Problem with bridging/routing on three interfaces and DNAT
Hello all,
I have a problem with external access to a postfix mailserver running on my
firewall as a mail-gateway. My setup with shorewall 2.2.0 rc4 is as follows:
eth0 is zone isf - this is an intranet to other companies
eth1 is zone loc - local network
eth2 is zone net - internet, fix ip adress
eth0 and eth1 are bridged
shorewall version
2.2.0-RC4
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:76:f7:c5:fc brd ff:ff:ff:ff:ff:ff
inet6 fe80::204:76ff:fef7:c5fc/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:04:38:74:76 brd ff:ff:ff:ff:ff:ff
inet6 fe80::250:4ff:fe38:7476/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:50:04:49:9a:37 brd ff:ff:ff:ff:ff:ff
inet 212.60.254.66/29 brd 212.60.254.71 scope global eth2
inet6 fe80::250:4ff:fe49:9a37/64 scope link
valid_lft forever preferred_lft forever
5: br0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
link/ether 00:04:76:f7:c5:fc brd ff:ff:ff:ff:ff:ff
inet 172.25.9.13/24 brd 172.25.9.255 scope global br0
inet6 fe80::204:76ff:fef7:c5fc/64 scope link
valid_lft forever preferred_lft forever
ip route show
212.60.254.64/29 dev eth2 proto kernel scope link src 212.60.254.66
172.25.9.0/24 dev br0 proto kernel scope link src 172.25.9.13
172.25.5.0/24 via 172.25.9.1 dev br0
172.25.7.0/24 via 172.25.9.1 dev br0
10.101.0.0/16 via 172.25.9.1 dev br0
10.103.0.0/16 via 172.25.9.1 dev br0
10.102.0.0/16 via 172.25.9.1 dev br0
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 212.60.254.65 dev eth2
I followed the guidelines in the Quickstart-Guide for a bridge which also
acts as a router, only adding that my system has to take mail from the
internet and to forward it to the internal mailsystem.
my zones-file:
net Net
isf ISF
loc local
my hosts-file:
isf br0:eth0
loc br0:eth1
my interfaces-file:
- br0 172.25.9.255
net eth2 detect
my masq-file:
eth2 br0
part of my rules-file:
DNAT net loc:172.25.9.13 tcp 25 - 212.60.254.66
I tried to work without masquerading at all and setup an ACCEPT-rule like
ACCEPT net fw tcp 25
BUT both ways my server does not respond to port 25 !
Any help much appreciated !!!
Regards from Germany,
Philipp
--
+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
Tom Eastep
2005-Jan-07 15:28 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> > > part of my rules-file: > DNAT net loc:172.25.9.13 tcp 25 - 212.60.254.66 >That is clearly nonsense since 172.25.9.13 is the IP address of *the bridge* and hence is in the $FW zone and not in the ''loc'' zone.> I tried to work without masquerading at all and setup an ACCEPT-rule like > ACCEPT net fw tcp 25That should work if your mail server is listening on 212.60.254.66. Check "netstat -tnap".> > BUT both ways my server does not respond to port 25 ! > > Any help much appreciated !!! >Look at your log!! And if you need additional help, please read the support guide and pay particular attention to the part that reads THIS IS IMPORTANT!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Philipp Rusch
2005-Jan-07 15:52 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Tom, thank you for your help ! I feel rather dumb: SuSEconfig inserted a second inet_interface-line at the end of my postfix config, postfix was not listening on the right interface at all !!!> Philipp Rusch wrote: > > > > > > part of my rules-file: > > DNAT net loc:172.25.9.13 tcp 25 - 212.60.254.66 > > > > That is clearly nonsense since 172.25.9.13 is the IP address of *the > bridge* and hence is in the $FW zone and not in the ''loc'' zone.OK - I thought so - $FW:172.25.9.13 is working now.> > > I tried to work without masquerading at all and setup an ACCEPT-rule > like > > ACCEPT net fw tcp 25Why is this not working if I do masquerading from internal ? I read your warning that I have to use DNAT in case I do MASQ internal hosts, I need to MASQ the internal mailserver at least.> > That should work if your mail server is listening on 212.60.254.66. > Check "netstat -tnap". > > > > > BUT both ways my server does not respond to port 25 ! > > > > Any help much appreciated !!! > > > > Look at your log!!I had no entries in there about port 25 And if you need additional help, please read the> support guide and pay particular attention to the part that reads THIS > IS IMPORTANT!!Thank you again. Philipp> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- +++ GMX - die erste Adresse fr Mail, Message, More +++ 1 GB Mailbox bereits in GMX FreeMail http://www.gmx.net/de/go/mail
Tom Eastep
2005-Jan-07 15:58 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> > > > Why is this not working if I do masquerading from internal ? > I read your warning that I have to use DNAT in case I do MASQ internal > hosts, I need to MASQ the internal mailserver at least. >Phillip -- You can see what is going on on your system -- WE CAN''T. If you will submit a proper problem report that includes the output of "shorewall status" as an attachment, then I will try to help you. But please don''t give us a few little details about your system then ask us "Why is this not working?" Also please include the output of "netstat -tnap". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Jan-07 16:08 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> >> >>>BUT both ways my server does not respond to port 25 ! >>>Really? [root@lists postfix]# telnet 212.60.254.66 25 Trying 212.60.254.66... Connected to 212.60.254.66 (212.60.254.66). Escape character is ''^]''. 220 mailgate.fontargen.de ESMTP Postfix -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Philipp Rusch
2005-Jan-07 16:12 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
It works since fifteen minutes, now.> Philipp Rusch wrote: > > > >> > >>>BUT both ways my server does not respond to port 25 ! > >>> > > Really? > > [root@lists postfix]# telnet 212.60.254.66 25 > Trying 212.60.254.66... > Connected to 212.60.254.66 (212.60.254.66). > Escape character is ''^]''. > 220 mailgate.fontargen.de ESMTP Postfix > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- +++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
Tom Eastep
2005-Jan-07 16:15 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:> It works since fifteen minutes, now. > >Sorry -- I misinterpreted your last message to say that it still was not working. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Philipp Rusch
2005-Jan-07 16:21 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
> Philipp Rusch wrote:Tom,> > Why is this not working if I do masquerading from internal ?This was mis-understandable: I did not mean *my* configuration at all I meant reading your comment in the "rules"-file: #------------------------------------------------------------------------------ # WARNING: If you masquerade or use SNAT from a local system to the internet, # you cannot use an ACCEPT rule to allow traffic from the internet to # that system. You *must* use a DNAT rule instead. #-------------------------------------------------------------------------------#> > I read your warning that I have to use DNAT in case I do MASQ internal > > hosts, I need to MASQ the internal mailserver at least.This was a question for understanding the background of your warning above, thats all.> > > > Phillip -- You can see what is going on on your system -- WE CAN''T. If > you will submit a proper problem report that includes the output of > "shorewall status" as an attachment, then I will try to help you. But > please don''t give us a few little details about your system then ask us > "Why is this not working?"Everything is working now - RC4 works for me like a charm.> > Also please include the output of "netstat -tnap". > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ >Tank you again, Philipp -- +++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl AKTION fr Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
Tom Eastep
2005-Jan-07 16:26 UTC
Re: Problem with bridging/routing on three interfaces and DNAT
Philipp Rusch wrote:>>Philipp Rusch wrote: > > > Tom, > > >>>Why is this not working if I do masquerading from internal ? > > > This was mis-understandable: I did not mean *my* configuration at all > I meant reading your comment in the > "rules"-file: > > #------------------------------------------------------------------------------ > # WARNING: If you masquerade or use SNAT from a local system to the > internet, > # you cannot use an ACCEPT rule to allow traffic from the internet > to > # that system. You *must* use a DNAT rule > instead. > #-------------------------------------------------------------------------------# >That refers to accessing servers *behind* the firewall. Servers running on the firewall do not require DNAT; ACCEPT should be sufficient unless the server is only listening on a local IP address; then you may wish to use a REDIRECT rule (you can also use a DNAT rule as you apparently discovered).> >>>I read your warning that I have to use DNAT in case I do MASQ internal >>>hosts, I need to MASQ the internal mailserver at least. > > > This was a question for understanding the background of your warning above, > thats all.Hopefully it''s clear now.> >>Phillip -- You can see what is going on on your system -- WE CAN''T. If >>you will submit a proper problem report that includes the output of >>"shorewall status" as an attachment, then I will try to help you. But >>please don''t give us a few little details about your system then ask us >>"Why is this not working?" > > > Everything is working now - RC4 works for me like a charm. >Great! Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key