Hi all - I''m having some problems with port forwarding. I have a mail server behind my firewall that I would like to redirect all incoming smtp traffic too. Config files follow at end of email. I''ve added what I though was the correct entry into the rules file for this action. When I try and telnet:25 in from an external host I simply get Trying 203.213.121.78... And thats it. Any thoughts? I''ve contacted my ISP and checked that they are not blocking the port. I can access the server on port 25 quite happily from within my network. Can I provide other information here for you? My other question was, I''ve noticed that my broadcast traffic is being dropped by shorewall on both subnet (ADSL modem ->FW & FW->Internet) - will this have any impact on my network (2 linux servers + various flavours of windows clients)? Or should I enable this? Thanks, Doug ---------------------------------------- Config files Interfaces net eth1 detect dhcp,routefilter,tcpflags loc eth0 detect tcpflags Policy loc net ACCEPT #loc fw ACCEPT fw loc ACCEPT fw net ACCEPT net all DROP info all all REJECT info Rules ACCEPT fw net tcp 53 ACCEPT fw net udp 53 DNAT loc fw:192.168.1.2 tcp 80 - 203.213.121.78 # Mail server @ 10.0.0.4 DNAT net loc:10.0.0.4 tcp smtp ACCEPT net fw tcp 23,www,ftp ACCEPT loc fw tcp 22 ACCEPT loc fw tcp 23 ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp ACCEPT fw net icmp AllowSMB loc fw AllowSMB fw loc -- Regards, Doug ----------------------------------------------------------- You live and learn. At any rate, you live. ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Doug:>Hi all - I''m having some problems with port forwarding. I have a mail >server behind my firewall that I would like to redirect all incoming >smtp traffic too. > >Config files follow at end of email. I''ve added what I though was the >correct entry into the rules file for this action. > >When I try and telnet:25 in from an external host I simply get >Trying 203.213.121.78... > >And thats it. Any thoughts? >I''ve contacted my ISP and checked that >they are not blocking the port. I can access the server on port 25 >quite happily from within my network.Does your mailserver have a default gateway set to the internal ip of the firewall? Is the mailserver configured to allow connections from anywhere?>Can I provide other information here for you?Shorewall status would be nice. Have you tried watching the connection attempt with tcpdump?>My other question was, I''ve noticed that my broadcast traffic is being >dropped by shorewall on both subnet (ADSL modem ->FW & FW->Internet) - >will this have any impact on my network (2 linux servers + various >flavours of windows clients)? Or should I enable this?Shouldn''t have any effect. Might want to re-think having telnet open to the world... Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Thanks Jerry, sorry for the slow reply - I shouldn''t send emails before leaving for the weekend :)> Does your mailserver have a default gateway set to the internal ip > of the firewall? Is the mailserver configured to allow connections > from anywhere?This acutally had me scratching my head for a bit - where do you set the gateway under linux? I have internet access from that box and a traceroute shows that it goes out through the gateway, but where it that set? Nothing in ifcfg-eth0 about it that I can see... Regardless, it seems to be set correctly... and postfix is accepting incoming connections from anywhere.> Shorewall status would be nice. Have you tried watching the connection > attempt with tcpdump?I''ve attached a shorewall status to this email... and I will attempt a tcpdump now, I just need to install it (and update my urpmi database in the process)> > Might want to re-think having telnet open to the world... >Yeah, I know - having some grief with sshd on that machine atm that I haven''t had a chance to fix... Well, I''m still nowhere - any other thoughts? Thanks, Doug
Ok - problem solved. I''m a dumbass basically. Sometime in the distant past (eg pre-me) our router was setup to reject port 25 & 22 connections. Why I didn''t check this a week ago I have no idea. Well, 2 birds with one stone at least. Thanks, On 8/1/05, Doug Shanahan <doug.shanahan@gmail.com> wrote:> Thanks Jerry, sorry for the slow reply - I shouldn''t send emails > before leaving for the weekend :) > > > Does your mailserver have a default gateway set to the internal ip > > of the firewall? Is the mailserver configured to allow connections > > from anywhere? > > This acutally had me scratching my head for a bit - where do you set > the gateway under linux? I have internet access from that box and a > traceroute shows that it goes out through the gateway, but where it > that set? Nothing in ifcfg-eth0 about it that I can see... > > Regardless, it seems to be set correctly... and postfix is accepting > incoming connections from anywhere. > > > Shorewall status would be nice. Have you tried watching the connection > > attempt with tcpdump? > > I''ve attached a shorewall status to this email... and I will attempt a > tcpdump now, I just need to install it (and update my urpmi database > in the process) > > > > > Might want to re-think having telnet open to the world... > > > Yeah, I know - having some grief with sshd on that machine atm that > I haven''t had a chance to fix... > > > Well, I''m still nowhere - any other thoughts? > > > Thanks, > Doug > > >-- Regards, Doug ----------------------------------------------------------- You live and learn. At any rate, you live. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click