thr3ads.net - Shorewall users - Mail server on DMZ [Feb 2005]

If this information is useful, please help other people find it:
Share via:

Miguel Santos

2005-Feb-28 12:13 UTC

Mail server on DMZ

Hello,

I have this problem: when my mail server on the DMZ starts a connection to
the internet it''s ip (213.58.230.26) is "masqueraded" with
the firewall ip
(213.58.230.50). I wouldn''t mind but there is a one customer who
rejects the
connection because it makes reverse dns and finds no dns entry for the
firewall ip.
How can i correct this?

Thanks,
MSantos


shorewall version 
2.0.1

[root@bassinka log]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0e:2e:08:d4:86 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.5/23 brd 10.0.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:90:27:25:70:42 brd ff:ff:ff:ff:ff:ff
    inet 213.58.230.50/30 brd 213.58.230.51 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0c:6e:92:fe:67 brd ff:ff:ff:ff:ff:ff
    inet 213.58.230.25/29 brd 213.58.230.31 scope global eth2
    inet 213.30.28.130/32 scope global eth2
    inet 213.30.28.129/32 scope global eth2

[root@bassinka log]# ip route show
213.58.230.48/30 dev eth1  scope link
213.58.230.24/29 dev eth2  scope link
10.0.0.0/23 dev eth0  scope link
169.254.0.0/16 dev eth2  scope link
127.0.0.0/8 dev lo  scope link
default via 213.58.230.49 dev eth1
[root@bassinka log]#

[root@bassinka log]#shorewall status

Shorewall-2.0.1 Chain  at bassinka - Fri Feb 25 10:33:16 WET 2005

Counters reset Thu Feb 24 17:57:46 WET 2005

Chain INPUT (policy DROP 9 packets, 1024 bytes)
 pkts bytes target     prot opt in     out     source
destination         
  592 34399 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0          
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
 299K  333M eth1_in    all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          
 490K   69M eth0_in    all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          
12739 5222K eth2_in    all  --  eth2   *       0.0.0.0/0
0.0.0.0/0          
    0     0 Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:'' 
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain FORWARD (policy DROP 20 packets, 960 bytes)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
 302K  170M eth1_fwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0          
1095K  409M eth0_fwd   all  --  eth0   *       0.0.0.0/0
0.0.0.0/0          
 752K  360M eth2_fwd   all  --  eth2   *       0.0.0.0/0
0.0.0.0/0          
    0     0 Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:''
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain OUTPUT (policy DROP 2 packets, 1540 bytes)
 pkts bytes target     prot opt in     out     source
destination         
  592 34399 ACCEPT     all  --  *      lo      0.0.0.0/0
0.0.0.0/0          
    0     0 DROP      !icmp --  *      *       0.0.0.0/0
0.0.0.0/0          state INVALID 
 318K   30M fw2net     all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
 373K  366M fw2loc     all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
 7741  471K fw2dmz     all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          
    0     0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:ACCEPT:''
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain Drop (4 references)
 pkts bytes target     prot opt in     out     source
destination         
 576K   59M RejectAuth  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 576K   59M dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 384K   19M DropSMB    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 367K   18M DropUPnP   all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 367K   18M dropNonSyn  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 367K   18M DropDNSrep  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain DropDNSrep (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    7   626 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp spt:53 

Chain DropSMB (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135 
 3484  666K DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139 
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445 
 4248  204K DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135 
  303 14680 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139 
 9269  445K DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445 

Chain DropUPnP (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:1900 

Chain Reject (0 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 RejectAuth  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 dropBcast  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 RejectSMB  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 DropUPnP   all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 dropNonSyn  all  --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 DropDNSrep  all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain RejectAuth (2 references)
 pkts bytes target     prot opt in     out     source
destination         
   74  4424 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:113 

Chain RejectSMB (1 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:135 
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpts:137:139 
    0     0 reject     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:445 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:135 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:139 
    0     0 reject     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:445 

Chain all2all (3 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
15156  925K Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 1053  213K LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:''
 1053  213K DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain dmz2all (3 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
 3302  294K LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:dmz2all:ACCEPT:''
 3302  294K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain dmz2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 9519 4933K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
 3220  288K dmz2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain dmz2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 537K  144M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    7   790 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:26 
 8561  411K ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.7

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.7

   32  1536 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.6

    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.6

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:26 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
    1    78 dmz2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain dmz2net (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 202K  215M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   10   635 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
   39  1872 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:20 
    3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:53 
 3805  272K ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:53 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
   81  6198 dmz2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain dropBcast (2 references)
 pkts bytes target     prot opt in     out     source
destination         
 191K   39M DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = broadcast 
  480 15360 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = multicast 

Chain dropNonSyn (2 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp flags:!0x16/0x02 

Chain dynamic (6 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
1095K  409M dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 558K  148M loc2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
 537K  261M loc2dmz    all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          

Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 490K   69M dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 490K   69M loc2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain eth1_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 302K  170M dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 122K   70M net2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          
 180K  100M net2dmz    all  --  *      eth2    0.0.0.0/0
0.0.0.0/0          

Chain eth1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 299K  333M dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 299K  333M net2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain eth2_fwd (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 752K  360M dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 206K  215M dmz2net    all  --  *      eth1    0.0.0.0/0
0.0.0.0/0          
 546K  144M dmz2loc    all  --  *      eth0    0.0.0.0/0
0.0.0.0/0          

Chain eth2_in (1 references)
 pkts bytes target     prot opt in     out     source
destination         
12739 5222K dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0          
12739 5222K dmz2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2all (3 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
12719  891K LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:fw2all:ACCEPT:''
12719  891K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 7516  428K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
   52  3120 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          
  164 39196 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          
    9   756 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 fw2all     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 372K  366M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  787  570K newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
  130  7800 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.199         
   55  4290 ACCEPT     udp  --  *      *       0.0.0.0/0
10.0.0.199         
    8   960 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
  206 42180 fw2all     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 305K   29M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  115  7604 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
   13   696 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
12513  849K fw2all     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain icmpdef (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain loc2all (3 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
 561K   58M Drop       all  --  *      *       0.0.0.0/0
0.0.0.0/0          
 366K   18M LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:loc2all:DROP:''
 366K   18M DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 504K  258M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   45  2093 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 
   25  1200 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 
16400  787K ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:110 
    2    96 ACCEPT     tcp  --  *      *       10.0.0.41
0.0.0.0/0          tcp dpt:5900 
    7   336 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 
16466 1515K ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
  249 81078 loc2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 263K   28M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  848 43602 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       10.0.0.199
0.0.0.0/0          
  254 75707 ACCEPT     udp  --  *      *       10.0.0.199
0.0.0.0/0          
    0     0 ACCEPT     tcp  --  *      *       10.0.0.1
0.0.0.0/0          
 2240  287K ACCEPT     udp  --  *      *       10.0.0.1
0.0.0.0/0          
20071  964K ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:3128 
    1    48 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:22 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:53 
 3585  246K ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:53 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
 200K   40M loc2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain loc2net (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 136K  126M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  969 41316 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
    0     0 ACCEPT     tcp  --  *      *       10.0.0.152
0.0.0.0/0          tcp dpt:53 
  883 57388 ACCEPT     udp  --  *      *       10.0.0.152
0.0.0.0/0          udp dpt:53 
  334 16032 ACCEPT     tcp  --  *      *       10.0.0.152
0.0.0.0/0          tcp dpt:25 
  203  9744 ACCEPT     tcp  --  *      *       10.0.0.152
0.0.0.0/0          tcp dpt:110 
  201  9648 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:53 
57954 3884K ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       10.0.0.7
213.58.230.49      
  199 23681 ACCEPT     udp  --  *      *       10.0.0.7
213.58.230.49      
   25  1200 ACCEPT     tcp  --  *      *       10.0.0.66
81.193.248.76      
    0     0 ACCEPT     udp  --  *      *       10.0.0.66
81.193.248.76      
  133 36065 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
 361K   18M loc2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2dmz (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 170K   99M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   62 13217 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
  580 30648 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:80 
   13   780 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:443 
  973 51900 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:25 
   14   672 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:110 
   11   528 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:21 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:53 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          udp dpt:53 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          tcp dpt:3389 
   47  2308 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
 8333  493K all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 291K  332M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
  460  219K newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
   24  7176 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
 6823  432K all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain net2loc (1 references)
 pkts bytes target     prot opt in     out     source
destination         
 121K   70M ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state RELATED,ESTABLISHED 
   10   574 newnotsyn  tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW tcp flags:!0x16/0x02 
  205 10020 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.152         tcp dpt:25 
 1199 57624 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.152         tcp dpt:110 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.152         tcp dpt:25 ctorigdst 213.58.230.27 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.152         tcp dpt:110 ctorigdst 213.58.230.27 
    7   336 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.152         tcp dpt:389 ctorigdst 213.58.230.27 
    3   144 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.80          tcp dpt:80 ctorigdst 213.58.230.28 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.80          tcp dpt:1494 ctorigdst 213.58.230.28 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
10.0.0.81          tcp spt:1495 dpt:1494 ctorigdst 213.58.230.28 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          
    0     0 all2all    all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain newnotsyn (16 references)
 pkts bytes target     prot opt in     out     source
destination         
 3313  898K LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:''
 3313  898K DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Chain reject (7 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = broadcast 
    0     0 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0          PKTTYPE = multicast 
    0     0 DROP       all  --  *      *       213.58.230.51
0.0.0.0/0          
    0     0 DROP       all  --  *      *       10.0.1.255
0.0.0.0/0          
    0     0 DROP       all  --  *      *       213.58.230.31
0.0.0.0/0          
    0     0 DROP       all  --  *      *       255.255.255.255
0.0.0.0/0          
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0          
   74  4424 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset 
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable 
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-unreachable 
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited 

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source
destination         

Chain smurfs (0 references)
 pkts bytes target     prot opt in     out     source
destination         
    0     0 DROP       all  --  *      *       213.58.230.51
0.0.0.0/0          
    0     0 DROP       all  --  *      *       10.0.1.255
0.0.0.0/0          
    0     0 DROP       all  --  *      *       213.58.230.31
0.0.0.0/0          
    0     0 DROP       all  --  *      *       255.255.255.255
0.0.0.0/0          
    0     0 DROP       all  --  *      *       224.0.0.0/4
0.0.0.0/0

Tom Eastep

2005-Feb-28 15:30 UTC

head link

Re: Mail server on DMZ

Miguel Santos wrote:> Hello,
> 
> I have this problem: when my mail server on the DMZ starts a connection to
> the internet it''s ip (213.58.230.26) is "masqueraded"
with the firewall ip
> (213.58.230.50). I wouldn''t mind but there is a one customer who
rejects the
> connection because it makes reverse dns and finds no dns entry for the
> firewall ip.
> How can i correct this?
> 
Remove the entry in /etc/shorewall/masq that is causing the source
address to be re-written.

This problem usually occurs when the three-interface sample
configuration is used in a situation that is inappropriate, as in your case.

The three-interface setup guide even contains this text:

"If, in spite of all advice to the contrary, you are using this guide
and want to use one-to-one NAT or Proxy ARP for your DMZ, remove the
entry for eth2 from /etc/shorewall/masq."

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Maybe Matching Threads

Search for more maybe matching threads

Shorewall users - Feb 2005 - Mail server on DMZ

Mail server on DMZ

Re: Mail server on DMZ

Maybe Matching Threads