Hi to all, I''m a newbie to shorewall, I would like to seek assistance to you guys regarding the problem I''m currently encountering with my setup. Well here it goes. I''ve setup a shorewall box with 4 interfaces namely prod, loc, dmz, and ras. I have two machine in the DMZ segment which is the mail and my web server. The problem that I''m encountering is that my mail server cannot be seen in the internet but my web machine is accessible. My internal network can also access my mail server but not the outside network. I tried to change the address of the mail server with another valid address and tried to browse it via the ip address and it connected. But if I use the the real address of our mail server it cant be accessed. I know that I have the correct DNAT config since I can browse my web server. We are not the one handling our DNS can this be also the problem? A reply would greatly be appreciated. Warmest Regards, Cesar
Cesar Esteban wrote:> server. The problem that I''m encountering is that my mail server cannot be > seen in the internet but my web machine is accessible. My internal network > can also access my mail server but not the outside network.Please give us some facts. submit a proper problem report http://www.shorewall.net/support.html
On 11/12/05, Cristian Rodriguez <judas_iscariote@shorewall.net> wrote:> > Cesar Esteban wrote: > > > server. The problem that I''m encountering is that my mail server cannot > be > > seen in the internet but my web machine is accessible. My internal > network > > can also access my mail server but not the outside network. > > Please give us some facts. > > submit a proper problem report > > http://www.shorewall.net/support.htmlHi Christian sorry for the improper submission of report, any way here are some of the details to my shorewall box. I have tried to research it the mailing list archive but can''t see any topic that was similar to mine. I also tried reading the FAQ 2 but still to no avail. I have also tried to issue the command iptables -t nat -Z. I also inserted the ouput of shorewall show nat. Can''t really figure what to do next, need some advice. I cant seem to browse our webmail in the internet but locally we can. I have tried almost everything, i have tried to ping each segment and are replying properly. Hope you guys can point to the right direction. Thanks in advance, Cesar [root@fwdmz root]# shorewall version 2.0.15 [root@fwdmz root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 <http://127.0.0.1/8> brd 127.255.255.255<http://127.255.255.255>scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:11:d8:41:b6:18 brd ff:ff:ff:ff:ff:ff inet 192.9.200.251/24 <http://192.9.200.251/24> brd 192.9.200.255<http://192.9.200.255>scope global eth0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0a:5e:4f:da:88 brd ff:ff:ff:ff:ff:ff inet 203.167.109.114/28 <http://203.167.109.114/28> brd 203.167.109.127<http://203.167.109.127>scope global eth1 inet 203.167.109.119/28 <http://203.167.109.119/28> brd 203.167.109.127<http://203.167.109.127>scope global secondary eth1 inet 203.167.109.118/28 <http://203.167.109.118/28> brd 203.167.109.127<http://203.167.109.127>scope global secondary eth1 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0a:5e:4f:dc:52 brd ff:ff:ff:ff:ff:ff inet 172.16.190.101/17 <http://172.16.190.101/17> brd 172.16.255.255<http://172.16.255.255>scope global eth2 5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:0a:5e:4f:dc:53 brd ff:ff:ff:ff:ff:ff inet 192.168.1.251/24 <http://192.168.1.251/24> brd 192.168.1.255<http://192.168.1.255>scope global eth3 6: eth4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:da:8f:76:7d brd ff:ff:ff:ff:ff:ff inet 10.0.11.3/27 <http://10.0.11.3/27> brd 10.0.11.31 <http://10.0.11.31>scope global eth4 [root@fwdmz root]# ip route show 203.167.109.112/28 <http://203.167.109.112/28> dev eth1 scope link 10.0.11.0/27 <http://10.0.11.0/27> dev eth4 scope link 192.168.1.0/24 <http://192.168.1.0/24> dev eth3 scope link 192.9.200.0/24 <http://192.9.200.0/24> dev eth0 scope link 172.16.128.0/17 <http://172.16.128.0/17> dev eth2 scope link 169.254.0.0/16 <http://169.254.0.0/16> dev eth4 scope link 127.0.0.0/8 <http://127.0.0.0/8> dev lo scope link default via 203.167.109.113 <http://203.167.109.113> dev eth1 /etc/shorewall/rules #################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT loc:172.16.128.2 <http://172.16.128.2> $FW all ACCEPT $FW net all ACCEPT dmz:192.168.1.1 <http://192.168.1.1>,192.168.1.3 <http://192.168.1.3> ,192.168.1.4 <http://192.168.1.4> prod:192.9.200.4 <http://192.9.200.4> tcp 1529 ACCEPT dmz:192.168.1.1 <http://192.168.1.1>,192.168.1.3 <http://192.168.1.3> ,192.168.1.4 <http://192.168.1.4> prod:192.9.200.100 <http://192.9.200.100>tcp microsoft-ds,ms-sql-s ACCEPT dmz:192.168.1.1 <http://192.168.1.1>,192.168.1.3 <http://192.168.1.3> ,192.168.1.4 <http://192.168.1.4> prod:192.9.200.100 <http://192.9.200.100>udp ms-sql-m ACCEPT dmz:192.168.1.1 <http://192.168.1.1>,192.168.1.250<http://192.168.1.250>net all ACCEPT dmz:192.168.1.250 <http://192.168.1.250>,192.168.1.249<http://192.168.1.249>loc tcp - smtp,pop3,http,https ACCEPT dmz:192.168.1.250 <http://192.168.1.250> ras tcp - smtp,pop3,http,https ACCEPT dmz:192.168.1.1 <http://192.168.1.1>,192.168.1.2 <http://192.168.1.2> ,192.168.1.3 <http://192.168.1.3>,192.168.1.4 <http://192.168.1.4> loc tcp - http,https ACCEPT dmz:192.168.1.1 <http://192.168.1.1>,192.168.1.2 <http://192.168.1.2> ,192.168.1.3 <http://192.168.1.3>,192.168.1.4 <http://192.168.1.4> ras tcp - http,https DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp - - 203.167.109.118 <http://203.167.109.118> DNAT net dmz:192.168.1.1 <http://192.168.1.1> tcp http - 203.167.109.119<http://203.167.109.119> DNAT net dmz:192.168.1.2 <http://192.168.1.2> tcp http - 203.167.109.120<http://203.167.109.120> DNAT net dmz:192.168.1.3 <http://192.168.1.3> tcp http,https - 203.167.109.121 <http://203.167.109.121> DNAT net dmz:192.168.1.4 <http://192.168.1.4> tcp http,https ACCEPT loc $FW:172.16.190.101 <http://172.16.190.101> tcp squid ACCEPT ras $FW:10.0.11.3 <http://10.0.11.3> tcp squid #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/policy $FW prod REJECT info $FW loc REJECT info $FW dmz REJECT info $FW ras REJECT info $FW net REJECT info prod $FW REJECT info prod loc REJECT info prod dmz REJECT info prod ras REJECT info prod net REJECT info loc $FW REJECT info loc prod REJECT info loc dmz REJECT info loc ras REJECT info loc net REJECT info dmz $FW REJECT info dmz prod REJECT info dmz loc REJECT info dmz ras REJECT info dmz net REJECT info ras $FW REJECT info ras prod REJECT info ras loc REJECT info ras dmz REJECT info ras net REJECT info net $FW REJECT info net prod REJECT info net loc REJECT info net dmz REJECT info net ras REJECT info #LAST LINE -- DO NOT REMOVE # shorewall show nat Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 LOG tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 203.167.109.118<http://203.167.109.118>LOG flags 0 level 6 prefix `Shorewall:net_dnat:DNAT:'' 0 0 DNAT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 203.167.109.118<http://203.167.109.118>to: 192.168.1.250 <http://192.168.1.250> 0 0 DNAT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 203.167.109.119<http://203.167.109.119>tcp dpt:80 to: 192.168.1.1 <http://192.168.1.1> 0 0 DNAT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 203.167.109.120<http://203.167.109.120>tcp dpt:80 to: 192.168.1.2 <http://192.168.1.2> 0 0 DNAT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 203.167.109.121<http://203.167.109.121>multiport dports 80,443 to: 192.168.1.3 <http://192.168.1.3> 0 0 DNAT tcp -- * * 0.0.0.0/0 <http://0.0.0.0/0> 0.0.0.0/0<http://0.0.0.0/0>multiport dports 80,443 to: 192.168.1.4 <http://192.168.1.4>
<snip>>DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp - - >203.167.109.118 <http://203.167.109.118>You need to use a port number if you state tcp or udp. DNAT:info net dmz:192.168.1.250 tcp - - 203.167.109.118 try DNAT:info net dmz:192.168.1.250 tcp 25 - 203.167.109.118 Jerry ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Fri, 2005-11-11 at 15:58 -0600, Jerry Vonau wrote:> <snip> > > >DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp - - > >203.167.109.118 <http://203.167.109.118> > > You need to use a port number if you state tcp or udp. > > DNAT:info net dmz:192.168.1.250 tcp - - 203.167.109.118 > > try > DNAT:info net dmz:192.168.1.250 tcp 25 - 203.167.109.118 >Also, given that there is logging on the rule -- when you try to connect do you see any log message? If not, then connection requests aren''t even reaching your firewall. -Tom Note that we have to GUESS that the NAT entry that Jerry has quoted is the one we should be looking at but it seems like the only one that could apply to SMTP. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 11 November 2005 14:05, Tom Eastep wrote: Actually, the DNAT rule is working fine! [root@lists ~]# telnet 203.167.109.118 25 Trying 203.167.109.118... Connected to 203-167-109-118.PH.eastern-tele.com (203.167.109.118). Escape character is ''^]''. 220 cocolife.com ESMTP ^] telnet> quit Connection closed. [root@lists ~]# So now I am very confused about what problem you are trying to report. Also: [root@lists ~]# telnet mail.cocolife.com 25 Trying 203.167.109.118... Connected to mail.cocolife.com (203.167.109.118). Escape character is ''^]''. 220 cocolife.com ESMTP ^] telnet> quit Connection closed. [root@lists ~]# So your mail server is working perfectly from the Internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Jerry, I also tried to specify the correct ports like port 25, 80 and 443 and still it did not work thats why tried to just specify just the protocol hoping to just get some logs on what was happening. I did run on some error and it pertains to smtp but not with http, that''s I feel lost since this is the only conection that was failing. The error was SHOREWALL:FORWARD:DROP:IN=eth1 OUT=eth1 SRC=221.251.195 DST203.167.109.118 <http://203.167.109.118> PROTO=tcp SPT=2702 DPT=25 On 11/12/05, Jerry Vonau <jvonau@shaw.ca> wrote:> > <snip> > > >DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> < > http://192.168.1.250> tcp - - > >203.167.109.118 <http://203.167.109.118> <http://203.167.109.118> > > You need to use a port number if you state tcp or udp. > > DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp - - > 203.167.109.118 <http://203.167.109.118> > > try > DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp 25 - > 203.167.109.118 <http://203.167.109.118> > > Jerry > > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache''s Geronimo App Server. > Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
Hi Tom, It did log some DROP messages but only pertained to smtp and not http The error was SHOREWALL:FORWARD:DROP:IN=eth1 OUT=eth1 SRC=221.251.195 DST203.167.109.118 <http://203.167.109.118/> PROTO=tcp SPT=2702 DPT=25 And your right it was 203.167.109.118 <http://203.167.109.118> that was having the problem. Cesar On 11/12/05, Tom Eastep <teastep@shorewall.net> wrote:> > On Fri, 2005-11-11 at 15:58 -0600, Jerry Vonau wrote: > > <snip> > > > > >DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> < > http://192.168.1.250> tcp - - > > >203.167.109.118 <http://203.167.109.118> <http://203.167.109.118> > > > > You need to use a port number if you state tcp or udp. > > > > DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp - - > 203.167.109.118 <http://203.167.109.118> > > > > try > > DNAT:info net dmz:192.168.1.250 <http://192.168.1.250> tcp 25 - > 203.167.109.118 <http://203.167.109.118> > > > > Also, given that there is logging on the rule -- when you try to connect > do you see any log message? If not, then connection requests aren''t even > reaching your firewall. > > -Tom > > Note that we have to GUESS that the NAT entry that Jerry has quoted is > the one we should be looking at but it seems like the only one that > could apply to SMTP. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQBDdRWYO/MAbZfjDLIRAivrAKCh5p7Dpz0SXDTMBoVBs70p8dW7LQCeOB1m > wyaiorZiDNhBgnh6rU1aN7g> =OQ1h > -----END PGP SIGNATURE----- > > >
On Sat, 2005-11-12 at 06:17 +0800, Cesar Esteban wrote:> > Hi Jerry, > > I also tried to specify the correct ports like port 25, 80 and 443 and > still it did not work > thats why tried to just specify just the protocol hoping to just get > some logs on what > was happening. I did run on some error and it pertains to smtp but not > with http, that''s > I feel lost since this is the only conection that was failing. > > The error was SHOREWALL:FORWARD:DROP:IN=eth1 OUT=eth1 SRC=221.251.195----------------> DST=203.167.109.118 PROTO=tcp SPT=2702 DPT=25Your firewall was trying to route the request to 203.167.109.118 back out eth1 -- it didn''t recognize it as one of its own IP addresses. You had a very fundimental problem when that message was generated. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sorry Tom I forgot to mention that I just switched back to our old firewall which was checkpoint while I was isolating the shorewall box since I was not receiving any mails. My apologies. On 11/12/05, Tom Eastep <teastep@shorewall.net> wrote:> > On Friday 11 November 2005 14:05, Tom Eastep wrote: > > Actually, the DNAT rule is working fine! > > [root@lists ~]# telnet 203.167.109.118 <http://203.167.109.118> 25 > Trying 203.167.109.118... > Connected to 203-167-109-118.PH.eastern-tele.com<http://203-167-109-118.PH.eastern-tele.com>( > 203.167.109.118 <http://203.167.109.118>). > Escape character is ''^]''. > 220 cocolife.com <http://cocolife.com> ESMTP > ^] > telnet> quit > Connection closed. > [root@lists ~]# > > So now I am very confused about what problem you are trying to report. > > Also: > > [root@lists ~]# telnet mail.cocolife.com <http://mail.cocolife.com> 25 > Trying 203.167.109.118... > Connected to mail.cocolife.com <http://mail.cocolife.com> (203.167.109.118<http://203.167.109.118> > ). > Escape character is ''^]''. > 220 cocolife.com <http://cocolife.com> ESMTP > ^] > telnet> quit > Connection closed. > [root@lists ~]# > > So your mail server is working perfectly from the Internet. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >
On 11/12/05, Tom Eastep <teastep@shorewall.net> wrote:> > On Sat, 2005-11-12 at 06:17 +0800, Cesar Esteban wrote: > > > > Hi Jerry, > > > > I also tried to specify the correct ports like port 25, 80 and 443 and > > still it did not work > > thats why tried to just specify just the protocol hoping to just get > > some logs on what > > was happening. I did run on some error and it pertains to smtp but not > > with http, that''s > > I feel lost since this is the only conection that was failing. > > > > The error was SHOREWALL:FORWARD:DROP:IN=eth1 OUT=eth1 SRC=221.251.195 > ---------------- > > DST=203.167.109.118 <http://203.167.109.118> PROTO=tcp SPT=2702 DPT=25 > > Your firewall was trying to route the request to 203.167.109.118<http://203.167.109.118>back > out eth1 -- it didn''t recognize it as one of its own IP addresses. You > had a very fundimental problem when that message was generated.-Tom What do you mean by fundimental problem? I tried putting the routeback option to eth1 which was the 203.167.109.118 <http://203.167.109.118>segment but it did not work. Did i put the right routeback on the right Ethernet?
On Friday 11 November 2005 14:35, Cesar Esteban wrote:> > What do you mean by fundimental problem? I tried putting the routeback > option to eth1 which was the 203.167.109.118 > <http://203.167.109.118>segment but it did not work. > Did i put the right routeback on the right Ethernet?I have no idea now what you are doing. You still haven''t sent us the correct debugging information and until you do, I''m not wasting any more of my time on your problem. From the Support Guide: If Shorewall is starting successfully and your problem is that some set of connections to/from or through your firewall isn''t working (examples: local systems can''t access the internet, you can''t send email through the firewall, you can''t surf the web from the firewall, etc.) then please perform the following four steps: 1.If Shorewall isn''t started then /sbin/shorewall start. Otherwise /sbin/shorewall reset. 2. Try making the connection that is failing (Translation -- try to connect to your mail server from the internat) 3./sbin/shorewall status > /tmp/status.txt 4. Post the /tmp/status.txt file as an attachment (you may compress it if you like using bzip2 or gzip). 5. Describe where you are trying to make the connection from (IP address) and what host (IP address) you are trying to connect to. 6. Please do not edit the diagnostic information in an attempt to conceal your IP address, netmask, nameserver addresses, domain name, etc. These aren''t secrets, and concealing them often misleads us and may prevent your problem from being looked at all together. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Friday 11 November 2005 14:46, Tom Eastep wrote:> On Friday 11 November 2005 14:35, Cesar Esteban wrote: > > What do you mean by fundimental problem? I tried putting the routeback > > option to eth1 which was the 203.167.109.118 > > <http://203.167.109.118>segment but it did not work. > > Did i put the right routeback on the right Ethernet? > > I have no idea now what you are doing. You still haven''t sent us the > correct debugging information and until you do, I''m not wasting any more of > my time on your problem. >Let me try to explain my confusion: a) You are using DNAT to forward SMTP traffic from the internet to your DMZ. b) You are reporting that this isn''t working. c) You mention FAQ 2 which has nothing to do with this configuration. d) You further talk about the ''routeback'' option which, while mentioned in FAQ 2, doesn''t have any bearing on your problem either (or at least on your problem as I understand it). e) Both FAQ 2 and the ''routeback'' option would be relevant if you were complaining that the SMTP server and Web server in your DMZ couldn''t communicate using their public IP addresses. But that isn''t what you are reporting. f) The log message you posted shows SMTP traffic entering your firewall on eth1 and being routed back out eth1. From earlier information you posted, we assume that eth1 is your external (net) interface. Also from this earlier information, we find that the destination IP address (203.167.109.118) is configured on eth1! The above set of facts are completely inconsistent which leads me to conclude that we are not getting a coherent picture of your problem or of your configuration. That is why I''ve asked for you to follow the six steps that I posted earlier. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key