Shorewall users - Jul 2007 - multi-ISP and SMTP connection problems

Hi,

I''m having strange problems with smtp port 25 and it''s
not always reproducible.

In the steps below, the shorewall gateway is in
"multi-ISP mode" and 85.48.225.159, 85.48.225.241
belong to the same ADSL provider while 213.96.91.201
belongs to another ISP.

Basically, what I''m trying to do is access a DNAT''ed
email server from a remote host. Doing it through one
public IP works; all other fail.

Also note that this only happens with port 25. All
other protocols work fine (HTTP, HTTPS, RDP, SSH,
ICMP, etc.) over any public IP of both providers (2
provider companies, 3 ADSL lines).

At first I thought it could be that one provider is
blocking incoming SMTP (as outgoing SMTP always works)
but then I found that the other provider
(corresponding to 85.48.225.159) also "fails".

[ on shorewall gateway ]
# shorewall reset
Shorewall Counters Reset

[ on remote host 80.35.100.39 ]
# telnet 213.96.91.201 25
Trying 213.96.91.201...
telnet: Unable to connect to remote host: No route to
host
# telnet 85.48.225.241 25
Trying 85.48.225.241...
Connected to 85.48.225.241.
Escape character is ''^]''.
[ ... ]
# telnet 85.48.225.159 25
Trying 85.48.225.159...

[ endless wait so I press CTRL + C ]

[ on shorewall gateway ]
# shorewall dump > status.txt
# bzip2 status.txt

I''d appreciate it if you could take a look at the dump
which is available at

http://80.35.100.39/shorewall/

As far as reproducibility is concerned, I noted that
*most* of the time it''s just as above. However, I did
notice that occasionally both 
telnet 85.48.225.159 25
and
telnet 213.96.91.201 25
*do* connect.

Any ideas as to what I could try to understand what is
happening?



 
____________________________________________________________________________________
Bored stiff? Loosen up... 
Download and play hundreds of games for free on Yahoo! Games.
http://games.yahoo.com/games/front

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Vieri Di Paola wrote:
> 
> Any ideas as to what I could try to understand what is
> happening?
> 
Start by upgrading to Shorewall 3.4.4 -- 3.4.2 is broken with respect to
marking and ''track''.

FWIW, I can repeatedly connect to all three addresses from here so I suspect
that you are stumbling over one of your marking rules that is redirecting
replies to the address you are testing from.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/