Shorewall users - Feb 2005 - resending to new external address

Hi folks,

  As you''ve no doubt noticed incoming spam recently massively
increased. This
has overloaded our current server (24.74.9.226) which does  HTTP, SMTP, POP 
and IMAP. To help cope with this, I''ve put up a second server
(24.74.9.225)
which will be the mail server, leaving the original server to just be a web 
server. 

  Can I use shorewall on the first machine (version 1.4.8 running on Mandrake 
9.2) to forward all traffic coming in on ports 25, 110 & 143 on 24.74.9.226 
to 24.74.9.225?  I''ve tried various things today and none of them have 
worked.  Searching the mailing archives gave no joy either, but that might 
have been a conceptual flaw on my part setting the search terms.

  The two machines are on the same VLAN (but I don''t have
administrative
access to the switch).  

--
Cheers,
Rob

On 3 Feb 2005 at 18:14, Robert Fargher wrote:
> Hi folks,
> 
>   As you''ve no doubt noticed incoming spam recently massively
>   increased. This 
> has overloaded our current server (24.74.9.226) which does  HTTP,
> SMTP, POP and IMAP. To help cope with this, I''ve put up a second
> server (24.74.9.225) which will be the mail server, leaving the
> original server to just be a web server. 
> 
>   Can I use shorewall on the first machine (version 1.4.8 running 
on
>   Mandrake 
> 9.2) to forward all traffic coming in on ports 25, 110 & 143 on
> 24.74.9.226 to 24.74.9.225?  I''ve tried various things today and 
none
> of them have worked.  Searching the mailing archives gave no joy
> either, but that might have been a conceptual flaw on my part 
setting
> the search terms.
> 
>   The two machines are on the same VLAN (but I don''t have
>   administrative 
> access to the switch).  
Would it not be just as efficient to put the mail server on your
own DMZ (or inside your firewall) than to use an external IP?

I suspect they are on the same cable modem so its not like
you will achieve any bandwidth saving by using an external IP.

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

.

Robert Fargher wrote:
> Hi folks,
> 
>   As you''ve no doubt noticed incoming spam recently massively
increased. This
> has overloaded our current server (24.74.9.226) which does  HTTP, SMTP, POP
> and IMAP. To help cope with this, I''ve put up a second server
(24.74.9.225)
> which will be the mail server, leaving the original server to just be a web
> server. 
> 
>   Can I use shorewall on the first machine (version 1.4.8 running on
Mandrake
> 9.2) to forward all traffic coming in on ports 25, 110 & 143 on
24.74.9.226
> to 24.74.9.225?  I''ve tried various things today and none of them
have
> worked.  Searching the mailing archives gave no joy either, but that might 
> have been a conceptual flaw on my part setting the search terms.
> 
>   The two machines are on the same VLAN (but I don''t have
administrative
> access to the switch).  
Since you''ve not told us what "various things"
you''ve tried....

Have you added "routeback" to the interface definition?

routeback

     (Added in version 1.4.2) - This option causes Shorewall to set up 
handling for routing packets that arrive on this interface back out the 
same interface. If this option is specified, the ZONE column may not 
contain “-”.

-- 
"A common mistake that people make when trying to design something
completely foolproof was to underestimate the ingenuity of complete
fools."

--Ford Prefect in "Mostly Harmless".

>Would it not be just as efficient to put the mail server on your
>own DMZ (or inside your firewall) than to use an external IP?
  No.  That would restrict my flexibility down the road, when I can foresee 
having multiple servers behind a load balancer.  Right now, we''re
serving
about 10,000 mail clients.

  All the MX records will be updated to the new mail server.  But we want to 
minimise the trauma <grin> to our clients, many of whom are
unsophisticated.
Asking them to change mail settings would be a major challenge to far too 
many of them.  I''d really like to make this switch-over transparent to
them
so that their current mail sending/retrieval continues to work without 
change.
>I suspect they are on the same cable modem so its not like
>you will achieve any bandwidth saving by using an external IP.
  Actually the network they are on is fed by multiple fractional
OC-3''s. :-)
And I have an entire routable Class-C if needs be.  Mind you, most of those 
IPs are assigned.

--
Cheers,
Rob

>Since you''ve not told us what "various things"
you''ve tried....
  Sorry, my bad.  What I tried was various combinations using the DNAT or 
REDIRECT directives. 
>
>Have you added "routeback" to the interface definition?
>
>routeback
>
>     (Added in version 1.4.2) - This option causes Shorewall to set up
>handling for routing packets that arrive on this interface back out the
>same interface. If this option is specified, the ZONE column may not
>contain “-”.
  Thank you for that.   I missed that.  I shall thwap myself with an organic 
noodle appropriately and now go read up on routeback.  You, sir, are a 
gentleman, a scholar and, I''m sure, a judge of fine whiskey.

--
Cheers,
Rob

Robert Fargher wrote:
> Hi folks,
> 
>   As you''ve no doubt noticed incoming spam recently massively
increased. This
> has overloaded our current server (24.74.9.226) which does  HTTP, SMTP, POP
> and IMAP. To help cope with this, I''ve put up a second server
(24.74.9.225)
> which will be the mail server, leaving the original server to just be a web
> server. 
> 
>   Can I use shorewall on the first machine (version 1.4.8 running on
Mandrake
> 9.2) to forward all traffic coming in on ports 25, 110 & 143 on
24.74.9.226
> to 24.74.9.225?
Yes but you don''t want to.

client ----- SYN 24.74.9.226:25 -----------> 24.74.9.226
                                                  |
                                                  V
       <----- SYN ACK ---------------------- 24.74.9.225

So the client sends a SYN to 24.74.9.226 and get''s the SYN,ACK back
from
24.74.9.225; it sensibly discards the response.

The is fundimentally the same as Shorewall FAQ 2 -- it doesn''t work any
better on the internet side than it does on the local side.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
> The is fundimentally the same as Shorewall FAQ 2 -- it doesn''t
work any
Should be "This is fundamentally...."

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>>   Can I use shorewall on the first machine (version 1.4.8 running on
>> Mandrake 9.2) to forward all traffic coming in on ports 25, 110 &
143 on
>> 204.174.19.226 to 204.174.19.225?
>
>Yes but you don''t want to.
  <grin> You''re right, I don''t want to.  But
I''d sure like to find a way to
make the switchover to a new mail server easy for our clients.
>
>client ----- SYN 204.174.19.226:25 -----------> 204.174.19.226
>
>                                                  V
>       <----- SYN ACK ---------------------- 204.174.19.225
>
>So the client sends a SYN to 204.174.19.226 and get''s the SYN,ACK
back from
>204.174.19.225; it sensibly discards the response.
 So I added:
net     eth0    detect blacklist,routeback
to /etc/shorewall/interfaces
and
DNAT:$LOG net   net:204.174.19.225 tcp   500   -  all:204.174.19.226
to /etc/shorewall/rules.   As I understood it (from 
http://lists.shorewall.net/pipermail/shorewall-users/2003-October/009419.html), 
the "all:204.174.19.226" should correct the syn/ack discrepancy

 Apache is running on port 500 on 204.174.19.226, as a test system.

  If I browse there, either by name (kodiak2.in-vancouver.com)or IP address on 
port 500, it works.  If browse to 204.174.19.226:500 or 
kodiak3.in-vancouver.com:500, it doesn''t (I get a server timeout
response).
Shorewall is running on new system (kodiak2) too, with port 500/tcp allowed.

The log entry from the DNAT rule gives:
Jan 26 09:37:16 kodiak3 Shorewall:net_dnat:DNAT: IN=eth0 OUT= 
MAC=00:07:e9:39:21:b4:00:0d:28:8f:01:00:08:00  SRC=24.80.117.93 
DST=24.74.9.226 LEN=60 TOS=00 PREC=0x00 TTL=57 ID=31648 DF PROTO=TCP 
SPT=52853 DPT=500 SEQ=4083648204 ACK=0 WINDOW=5840 SYN URGP=0

 I''m puzzled where the Jan 26 came from in the log file.  The
"date" command
shows, correctly, Thu Feb  3 20:29:51 PST 2005.
>The is fundimentally the same as Shorewall FAQ 2 -- it doesn''t work
any
>better on the internet side than it does on the local side.
  Darn.  Any suggestions? <fingers crossed>

--
Cheers,
Rob

>DST=24.74.9.226 LEN=60 TOS=00 PREC=0x00 TTL=57 ID=31648 DF PROTO=TCP
Oops, the "DST=" address should have been 204.174.19.266.  

  Previously, I attempted to disguise the systems.  Then I read Tom''s
"This is
important!" guideline and, red-faced, am toeing the line. :-)

--
Cheers,
Rob, the red-faced.

--On Thursday, February 03, 2005 21:14 -0800 Robert Fargher 
<fargher@shaw.ca> wrote:
>> DST=24.74.9.226 LEN=60 TOS=00 PREC=0x00 TTL=57 ID=31648 DF PROTO=TCP
>
> Oops, the "DST=" address should have been 204.174.19.266.
>
>   Previously, I attempted to disguise the systems.  Then I read
Tom''s
> "This is  important!" guideline and, red-faced, am toeing the
line. :-)
Well, 266, is an invalid address, since IPs only go to 255 in each 
octet...no way yo represent larger numbers....

typo?

>--On Thursday, February 03, 2005 21:14 -0800 Robert Fargher
>
><fargher@shaw.ca> wrote:
>>> DST=24.74.9.226 LEN=60 TOS=00 PREC=0x00 TTL=57 ID=31648 DF
PROTO=TCP
>>
>> Oops, the "DST=" address should have been 204.174.19.266.
>>
>>   Previously, I attempted to disguise the systems.  Then I read
Tom''s
>> "This is  important!" guideline and, red-faced, am toeing the
line. :-)
>
>Well, 266, is an invalid address, since IPs only go to 255 in each
>octet...no way yo represent larger numbers....
>
>typo?
 Oops. Yep.  It should have been 204.174.19.226.

--
Rob, with the redder-face

Robert Fargher wrote:
> 
>  So I added:
> net     eth0    detect blacklist,routeback
> to /etc/shorewall/interfaces
> and
> DNAT:$LOG net   net:204.174.19.225 tcp   500   -  all:204.174.19.226
> to /etc/shorewall/rules.   As I understood it (from 
>
http://lists.shorewall.net/pipermail/shorewall-users/2003-October/009419.html),
> the "all:204.174.19.226" should correct the syn/ack discrepancy
That syntax is deprecated in Shorewall 2.0 and is disallowed in
Shorewall 2.2. See Shorewall FAQ 2 again.
> 
>  Apache is running on port 500 on 204.174.19.226, as a test system.
If Apache is running on 204.174.19.226 then you have the IP addresses in
the rule reversed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Robert Fargher wrote:
> 
> 
>> So I added:
>>net     eth0    detect blacklist,routeback
>>to /etc/shorewall/interfaces
>>and
>>DNAT:$LOG net   net:204.174.19.225 tcp   500   -  all:204.174.19.226
>>to /etc/shorewall/rules.   As I understood it (from 
>>http://lists.shorewall.net/pipermail/shorewall-users/2003-October/009419.html),
>>the "all:204.174.19.226" should correct the syn/ack
discrepancy
> 
> 
> That syntax is deprecated in Shorewall 2.0 and is disallowed in
> Shorewall 2.2. See Shorewall FAQ 2 again.
> 
> 
>> Apache is running on port 500 on 204.174.19.226, as a test system.
> 
> 
> If Apache is running on 204.174.19.226 then you have the IP addresses in
> the rule reversed.
> 
Note though that I personally would never take this approach for an
Internet-accessible server because it makes all forwarded traffic appear
to the server to have originated on the redirecting system.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>Tom Eastep wrote:
> If Apache is running on 204.174.19.226 then you have the IP addresses in
> the rule reversed.
  No, it is running on 204.274.19.225.   It was a typo on my part.  It still 
didn''t work.   Given that even if I had made it work, the fact that the
syntax is disallowed in current versions of shorewall mean that it would 
break when the system is updated means I''m taking your advice to not do
it
this way.
>Note though that I personally would never take this approach for an
>Internet-accessible server because it makes all forwarded traffic appear
>to the server to have originated on the redirecting system.

Tom,  thank you very much for your help.  I''ve decided to take a
different
approach.  The original mail server will be set up to have its MTA (exim) 
forward all mail to the new server.  The home and mail spool directories on 
the new server will be NFS mounts on the original server for POP/IMAP access.
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
  I love that!  I guess I just wasn''t sufficiently talented last night.
:-)

--
Cheers,
Rob