Hi,
I have a big "name problem" with my internal mail server (10.0.0.152).
It is "seen" on the internet through DNAT (213.58.230.27). Also there
is a
MX record pointing to the machine. Everything works fine from the outside.
However i can''t set the mail clients on the lan pointing to the mx
record,
because this one points to 213.58.230.27 and the firewall won''t return
answer the path to the internal ip (.152).
Is there anyway to correct this?
Regards,
MSantos
shorewall version
2.0.1
[root@bassinka log]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0e:2e:08:d4:86 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/23 brd 10.0.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:90:27:25:70:42 brd ff:ff:ff:ff:ff:ff
inet 213.58.230.50/30 brd 213.58.230.51 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0c:6e:92:fe:67 brd ff:ff:ff:ff:ff:ff
inet 213.58.230.25/29 brd 213.58.230.31 scope global eth2
inet 213.30.28.130/32 scope global eth2
inet 213.30.28.129/32 scope global eth2
[root@bassinka log]# ip route show
213.58.230.48/30 dev eth1 scope link
213.58.230.24/29 dev eth2 scope link
10.0.0.0/23 dev eth0 scope link
169.254.0.0/16 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default via 213.58.230.49 dev eth1
[root@bassinka log]#
[root@bassinka log]#shorewall status
Shorewall-2.0.1 Chain at bassinka - Fri Feb 25 10:33:16 WET 2005
Counters reset Thu Feb 24 17:57:46 WET 2005
Chain INPUT (policy DROP 9 packets, 1024 bytes)
pkts bytes target prot opt in out source
destination
592 34399 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
299K 333M eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
490K 69M eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
12739 5222K eth2_in all -- eth2 * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 20 packets, 960 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
302K 170M eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
1095K 409M eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
752K 360M eth2_fwd all -- eth2 * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 2 packets, 1540 bytes)
pkts bytes target prot opt in out source
destination
592 34399 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
318K 30M fw2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
373K 366M fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
7741 471K fw2dmz all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (4 references)
pkts bytes target prot opt in out source
destination
576K 59M RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
576K 59M dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
384K 19M DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
367K 18M DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
367K 18M dropNonSyn all -- * * 0.0.0.0/0
0.0.0.0/0
367K 18M DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
7 626 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
3484 666K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
4248 204K DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
303 14680 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
9269 445K DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNonSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
74 4424 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
15156 925K Drop all -- * * 0.0.0.0/0
0.0.0.0/0
1053 213K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:''
1053 213K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3302 294K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:dmz2all:ACCEPT:''
3302 294K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source
destination
9519 4933K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
3220 288K dmz2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source
destination
537K 144M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
7 790 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:26
8561 411K ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.7
32 1536 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.6
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.6
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:26
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
1 78 dmz2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source
destination
202K 215M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
10 635 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
39 1872 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20
3 144 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3805 272K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
81 6198 dmz2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
191K 39M DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
480 15360 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropNonSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1095K 409M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
558K 148M loc2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
537K 261M loc2dmz all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
490K 69M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
490K 69M loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
302K 170M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
122K 70M net2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
180K 100M net2dmz all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
299K 333M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
299K 333M net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source
destination
752K 360M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
206K 215M dmz2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
546K 144M dmz2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source
destination
12739 5222K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
12739 5222K dmz2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
12719 891K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2all:ACCEPT:''
12719 891K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source
destination
7516 428K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
52 3120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
164 39196 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0
9 756 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
372K 366M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
787 570K newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
130 7800 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.199
55 4290 ACCEPT udp -- * * 0.0.0.0/0
10.0.0.199
8 960 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
206 42180 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
305K 29M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
115 7604 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
13 696 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
12513 849K fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
561K 58M Drop all -- * * 0.0.0.0/0
0.0.0.0/0
366K 18M LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:loc2all:DROP:''
366K 18M DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source
destination
504K 258M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
45 2093 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3 144 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
25 1200 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
16400 787K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
2 96 ACCEPT tcp -- * * 10.0.0.41
0.0.0.0/0 tcp dpt:5900
7 336 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
16466 1515K ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
249 81078 loc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
263K 28M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
848 43602 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 10.0.0.199
0.0.0.0/0
254 75707 ACCEPT udp -- * * 10.0.0.199
0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.0.0.1
0.0.0.0/0
2240 287K ACCEPT udp -- * * 10.0.0.1
0.0.0.0/0
20071 964K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
1 48 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3585 246K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
200K 40M loc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
136K 126M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
969 41316 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 10.0.0.152
0.0.0.0/0 tcp dpt:53
883 57388 ACCEPT udp -- * * 10.0.0.152
0.0.0.0/0 udp dpt:53
334 16032 ACCEPT tcp -- * * 10.0.0.152
0.0.0.0/0 tcp dpt:25
203 9744 ACCEPT tcp -- * * 10.0.0.152
0.0.0.0/0 tcp dpt:110
201 9648 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
57954 3884K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 10.0.0.7
213.58.230.49
199 23681 ACCEPT udp -- * * 10.0.0.7
213.58.230.49
25 1200 ACCEPT tcp -- * * 10.0.0.66
81.193.248.76
0 0 ACCEPT udp -- * * 10.0.0.66
81.193.248.76
133 36065 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
361K 18M loc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source
destination
170K 99M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
62 13217 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
580 30648 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
13 780 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
973 51900 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
14 672 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
11 528 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3389
47 2308 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
8333 493K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
291K 332M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
460 219K newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
24 7176 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
6823 432K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
121K 70M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
10 574 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
205 10020 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:25
1199 57624 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:25 ctorigdst 213.58.230.27
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:110 ctorigdst 213.58.230.27
7 336 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:389 ctorigdst 213.58.230.27
3 144 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.80 tcp dpt:80 ctorigdst 213.58.230.28
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.80 tcp dpt:1494 ctorigdst 213.58.230.28
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.81 tcp spt:1495 dpt:1494 ctorigdst 213.58.230.28
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (16 references)
pkts bytes target prot opt in out source
destination
3313 898K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:''
3313 898K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 213.58.230.51
0.0.0.0/0
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 DROP all -- * * 213.58.230.31
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
74 4424 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 213.58.230.51
0.0.0.0/0
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 DROP all -- * * 213.58.230.31
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
Miguel Santos wrote:> Hi, > > I have a big "name problem" with my internal mail server (10.0.0.152). > It is "seen" on the internet through DNAT (213.58.230.27). Also there is a > MX record pointing to the machine. Everything works fine from the outside. > However i can''t set the mail clients on the lan pointing to the mx record, > because this one points to 213.58.230.27 and the firewall won''t return > answer the path to the internal ip (.152). > Is there anyway to correct this? >This is Shorewall FAQ #2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
MSantos wrote on 07/03/2005 11:53:49:> Hi, > > I have a big "name problem" with my internal mail server (10.0.0.152). > It is "seen" on the internet through DNAT (213.58.230.27). Also there isa> MX record pointing to the machine. Everything works fine from theoutside.> However i can''t set the mail clients on the lan pointing to the mxrecord,> because this one points to 213.58.230.27 and the firewall won''t return > answer the path to the internal ip (.152). > Is there anyway to correct this? > > Regards, > MSantos >you should have a different DNS server to you internal zone, or you could create a zone (queryable(?) only to the internal lan) in your DNS server to treat your internal network. Connect your mail clients to the server named in the internal zone. cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Sorry for the dumb question.
I think i just found the answer in faq #2
Sorry again,
MSantos
-----Original Message-----
From: Miguel Santos [mailto:msantos@martifer.com]
Sent: segunda-feira, 7 de Março de 2005 14:54
To: shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] DNS Name problem with mail server on LAN
Hi,
I have a big "name problem" with my internal mail server (10.0.0.152).
It is "seen" on the internet through DNAT (213.58.230.27). Also there
is a
MX record pointing to the machine. Everything works fine from the outside.
However i can''t set the mail clients on the lan pointing to the mx
record,
because this one points to 213.58.230.27 and the firewall won''t return
answer the path to the internal ip (.152).
Is there anyway to correct this?
Regards,
MSantos
shorewall version
2.0.1
[root@bassinka log]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0e:2e:08:d4:86 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/23 brd 10.0.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:90:27:25:70:42 brd ff:ff:ff:ff:ff:ff
inet 213.58.230.50/30 brd 213.58.230.51 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0c:6e:92:fe:67 brd ff:ff:ff:ff:ff:ff
inet 213.58.230.25/29 brd 213.58.230.31 scope global eth2
inet 213.30.28.130/32 scope global eth2
inet 213.30.28.129/32 scope global eth2
[root@bassinka log]# ip route show
213.58.230.48/30 dev eth1 scope link
213.58.230.24/29 dev eth2 scope link
10.0.0.0/23 dev eth0 scope link
169.254.0.0/16 dev eth2 scope link
127.0.0.0/8 dev lo scope link
default via 213.58.230.49 dev eth1
[root@bassinka log]#
[root@bassinka log]#shorewall status
Shorewall-2.0.1 Chain at bassinka - Fri Feb 25 10:33:16 WET 2005
Counters reset Thu Feb 24 17:57:46 WET 2005
Chain INPUT (policy DROP 9 packets, 1024 bytes)
pkts bytes target prot opt in out source
destination
592 34399 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
299K 333M eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
490K 69M eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
12739 5222K eth2_in all -- eth2 * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 20 packets, 960 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
302K 170M eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
1095K 409M eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
752K 360M eth2_fwd all -- eth2 * 0.0.0.0/0
0.0.0.0/0
0 0 Drop all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:DROP:''
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 2 packets, 1540 bytes)
pkts bytes target prot opt in out source
destination
592 34399 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
318K 30M fw2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
373K 366M fw2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
7741 471K fw2dmz all -- * eth2 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:OUTPUT:ACCEPT:''
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Drop (4 references)
pkts bytes target prot opt in out source
destination
576K 59M RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
576K 59M dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
384K 19M DropSMB all -- * * 0.0.0.0/0
0.0.0.0/0
367K 18M DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
367K 18M dropNonSyn all -- * * 0.0.0.0/0
0.0.0.0/0
367K 18M DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain DropDNSrep (2 references)
pkts bytes target prot opt in out source
destination
7 626 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53
Chain DropSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
3484 666K DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
4248 204K DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
303 14680 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
9269 445K DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain DropUPnP (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
Chain Reject (0 references)
pkts bytes target prot opt in out source
destination
0 0 RejectAuth all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropBcast all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 RejectSMB all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropUPnP all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 dropNonSyn all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DropDNSrep all -- * * 0.0.0.0/0
0.0.0.0/0
Chain RejectAuth (2 references)
pkts bytes target prot opt in out source
destination
74 4424 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
Chain RejectSMB (1 references)
pkts bytes target prot opt in out source
destination
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 reject udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
15156 925K Drop all -- * * 0.0.0.0/0
0.0.0.0/0
1053 213K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:DROP:''
1053 213K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3302 294K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:dmz2all:ACCEPT:''
3302 294K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2fw (1 references)
pkts bytes target prot opt in out source
destination
9519 4933K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
3220 288K dmz2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2loc (1 references)
pkts bytes target prot opt in out source
destination
537K 144M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
7 790 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:26
8561 411K ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.7
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.7
32 1536 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.6
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.6
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:26
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
1 78 dmz2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dmz2net (1 references)
pkts bytes target prot opt in out source
destination
202K 215M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
10 635 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
39 1872 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20
3 144 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3805 272K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
81 6198 dmz2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain dropBcast (2 references)
pkts bytes target prot opt in out source
destination
191K 39M DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
480 15360 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
Chain dropNonSyn (2 references)
pkts bytes target prot opt in out source
destination
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:!0x16/0x02
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
1095K 409M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
558K 148M loc2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
537K 261M loc2dmz all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
490K 69M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
490K 69M loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
302K 170M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
122K 70M net2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
180K 100M net2dmz all -- * eth2 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
299K 333M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
299K 333M net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth2_fwd (1 references)
pkts bytes target prot opt in out source
destination
752K 360M dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
206K 215M dmz2net all -- * eth1 0.0.0.0/0
0.0.0.0/0
546K 144M dmz2loc all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth2_in (1 references)
pkts bytes target prot opt in out source
destination
12739 5222K dynamic all -- * * 0.0.0.0/0
0.0.0.0/0
12739 5222K dmz2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
12719 891K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:fw2all:ACCEPT:''
12719 891K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2dmz (1 references)
pkts bytes target prot opt in out source
destination
7516 428K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
52 3120 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
164 39196 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0
9 756 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
372K 366M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
787 570K newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
130 7800 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.199
55 4290 ACCEPT udp -- * * 0.0.0.0/0
10.0.0.199
8 960 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
206 42180 fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
305K 29M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
115 7604 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
13 696 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
12513 849K fw2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (0 references)
pkts bytes target prot opt in out source
destination
Chain loc2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
561K 58M Drop all -- * * 0.0.0.0/0
0.0.0.0/0
366K 18M LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:loc2all:DROP:''
366K 18M DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2dmz (1 references)
pkts bytes target prot opt in out source
destination
504K 258M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
45 2093 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
3 144 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
25 1200 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
16400 787K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
2 96 ACCEPT tcp -- * * 10.0.0.41
0.0.0.0/0 tcp dpt:5900
7 336 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
16466 1515K ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
249 81078 loc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
263K 28M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
848 43602 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 10.0.0.199
0.0.0.0/0
254 75707 ACCEPT udp -- * * 10.0.0.199
0.0.0.0/0
0 0 ACCEPT tcp -- * * 10.0.0.1
0.0.0.0/0
2240 287K ACCEPT udp -- * * 10.0.0.1
0.0.0.0/0
20071 964K ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3128
1 48 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
3585 246K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
200K 40M loc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
136K 126M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
969 41316 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
0 0 ACCEPT tcp -- * * 10.0.0.152
0.0.0.0/0 tcp dpt:53
883 57388 ACCEPT udp -- * * 10.0.0.152
0.0.0.0/0 udp dpt:53
334 16032 ACCEPT tcp -- * * 10.0.0.152
0.0.0.0/0 tcp dpt:25
203 9744 ACCEPT tcp -- * * 10.0.0.152
0.0.0.0/0 tcp dpt:110
201 9648 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
57954 3884K ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 10.0.0.7
213.58.230.49
199 23681 ACCEPT udp -- * * 10.0.0.7
213.58.230.49
25 1200 ACCEPT tcp -- * * 10.0.0.66
81.193.248.76
0 0 ACCEPT udp -- * * 10.0.0.66
81.193.248.76
133 36065 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
361K 18M loc2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2dmz (1 references)
pkts bytes target prot opt in out source
destination
170K 99M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
62 13217 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
580 30648 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80
13 780 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:443
973 51900 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:25
14 672 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
11 528 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:3389
47 2308 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
8333 493K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
291K 332M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
460 219K newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
24 7176 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
6823 432K all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
121K 70M ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
10 574 newnotsyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp flags:!0x16/0x02
205 10020 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:25
1199 57624 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:110
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:25 ctorigdst 213.58.230.27
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:110 ctorigdst 213.58.230.27
7 336 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.152 tcp dpt:389 ctorigdst 213.58.230.27
3 144 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.80 tcp dpt:80 ctorigdst 213.58.230.28
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.80 tcp dpt:1494 ctorigdst 213.58.230.28
0 0 ACCEPT tcp -- * * 0.0.0.0/0
10.0.0.81 tcp spt:1495 dpt:1494 ctorigdst 213.58.230.28
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain newnotsyn (16 references)
pkts bytes target prot opt in out source
destination
3313 898K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix
`Shorewall:newnotsyn:DROP:''
3313 898K DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (7 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 213.58.230.51
0.0.0.0/0
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 DROP all -- * * 213.58.230.31
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
74 4424 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain smurfs (0 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 213.58.230.51
0.0.0.0/0
0 0 DROP all -- * * 10.0.1.255
0.0.0.0/0
0 0 DROP all -- * * 213.58.230.31
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Hi again, I have followed the instructions on FAQ but i''m getting na error when i try the new configuration: On the line masqueraded networks and hosts i keep getting invalid comma-separated list "10.0.0.5 tcp www" On the masq file i have added the following line: eth0:10.0.0.152 eth0 10.0.0.5 tcp www What might be wrong? MSantos -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: segunda-feira, 7 de Março de 2005 15:00 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] DNS Name problem with mail server on LAN Miguel Santos wrote:> Hi, > > I have a big "name problem" with my internal mail server (10.0.0.152). > It is "seen" on the internet through DNAT (213.58.230.27). Also there > is a MX record pointing to the machine. Everything works fine from theoutside.> However i can''t set the mail clients on the lan pointing to the mx > record, because this one points to 213.58.230.27 and the firewall > won''t return answer the path to the internal ip (.152). > Is there anyway to correct this? >This is Shorewall FAQ #2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Miguel Santos wrote:> Hi again, > > I have followed the instructions on FAQ but i''m getting na error when i try > the new configuration: > On the line masqueraded networks and hosts i keep getting invalid > comma-separated list "10.0.0.5 tcp www" > > On the masq file i have added the following line: > eth0:10.0.0.152 eth0 10.0.0.5 tcp www > > > What might be wrong? >What version of Shorewall are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
shorewall version 2.0.1 -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: segunda-feira, 7 de Março de 2005 16:01 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] DNS Name problem with mail server on LAN Miguel Santos wrote:> Hi again, > > I have followed the instructions on FAQ but i''m getting na error when > i try the new configuration: > On the line masqueraded networks and hosts i keep getting invalid > comma-separated list "10.0.0.5 tcp www" > > On the masq file i have added the following line: > eth0:10.0.0.152 eth0 10.0.0.5 tcp www > > > What might be wrong? >What version of Shorewall are you running? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Miguel Santos wrote:> shorewall version > 2.0.1 >The feature that you are trying to use was introduced in Shorewall 2.0.2. Either refer to the Shorewall 1.4 FAQ for instructions or upgrade you version of Shorewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Miguel Santos wrote: > >>shorewall version >>2.0.1 >> > > > The feature that you are trying to use was introduced in Shorewall > 2.0.2. Either refer to the Shorewall 1.4 FAQ for instructions or upgrade > you version of Shorewall. >I''ve updated the FAQ #2 answer to refer users running Shorewall 2.0.0 and 2.0.1 to the 1.4 FAQ for instructions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Miguel Santos wrote:>Hi, > >I have a big "name problem" with my internal mail server (10.0.0.152). >It is "seen" on the internet through DNAT (213.58.230.27). Also there is a >MX record pointing to the machine. Everything works fine from the outside. >However i can''t set the mail clients on the lan pointing to the mx record, >because this one points to 213.58.230.27 and the firewall won''t return >answer the path to the internal ip (.152). >Is there anyway to correct this? > >Regards, >MSantos > > > >I use "views" in my name server example: view "internal" { // these are the clients that see this view; match-clients { 127.0.0.0/24; 192.168.1.0/24; }; // if this server can''t complete the request it should use outside; recursion yes; zone "." in { type hint; file "int/root.cache"; }; zone "loudas.com" in { type master; notify no; allow-update { dhcpServer; }; file "int/db.loudas.com"; }; }; view "external" { match-clients { any; }; // if we can''t answer the client, we tell the client so recursion no; zone "loudas.com" in { type master; notify yes; allow-update { none; }; file "ext/db.loudas.com"; }; }; now you need 2 configs for your domain. 1 which is in ext/db.domain.com which points to your public IP addresses and 1 which is in int/db.domain.com which points to your private IP addresses
Paul wrote:>> > I use "views" in my name server >Me too. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key