Hello! I will to use exim4 on a desktop machine behind a firewall. Now I can''t to use exim4 because exim4 don''t answer to helo-ehlo. If I do a test from the internet, then I can see that that the port 25 is closed. I get the message: ''the port No route to host'' I must to open port 25 on the firewall, or not? I try to open port on firewall like this: The zones are: fw firewall pptp ipv4 net ipv4 mode=tunnel loc ipv4 The interfaces are: pptp eth0 detect dhcp net ppp0 detect routefilter,tcpflags loc eth1 detect dhcp The masq is: ppp0 eth1 The tunnels is: pptpclient net 192.168.16.1 The policies are: loc all ACCEPT fw all ACCEPT net all DROP info pptp all ACCEPT info all all REJECT info The rules are: SECTION NEW ACCEPT pptp fw icmp DNAT net loc:192.168.1.100 tcp 80 DNAT:debug net loc:192.168.1.10-192.168.1.98 tcp smtp DROP net fw udp 1026:1029 but this is not a solution: the port 25 is still closed, with abowe mentioned message. I red the documentation but cant figure out the solution. What is the solution for this situation? Any advices will be appreciated! -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Thu, Aug 02, 2007 at 11:24:16AM +0200, P?l Cs?nyi wrote:> DNAT:debug net loc:192.168.1.10-192.168.1.98 tcp smtp> What is the solution for this situation? > > Any advices will be appreciated!Lay off the crack. I can''t imagine what you expected that to accomplish. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
2007/8/2, Andrew Suffield <asuffield@suffields.me.uk>:> On Thu, Aug 02, 2007 at 11:24:16AM +0200, P?l Cs?nyi wrote: > > DNAT:debug net loc:192.168.1.10-192.168.1.98 tcp smtp > > Lay off the crack. I can''t imagine what you expected that to > accomplish.OK Now the rules are: SECTION NEW ACCEPT pptp fw icmp ACCEPT fw net tcp smtp DNAT net loc:192.168.1.100 tcp 80 DROP net fw udp 1026:1029 The port 25 is still closed from the internet. :( Any advices? -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Thu, Aug 02, 2007 at 11:55:23AM +0200, P?l Cs?nyi wrote:> SECTION NEW > ACCEPT pptp fw icmp > ACCEPT fw net tcp smtp > DNAT net loc:192.168.1.100 tcp 80 > DROP net fw udp 1026:1029 > > The port 25 is still closed from the internet. :( > > Any advices?Permitting the firewall to make smtp connections to the internet is almost as unlikely to work as randomly sending inbound connections to any arbitrary local address. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
2007/8/2, Andrew Suffield <asuffield@suffields.me.uk>:> On Thu, Aug 02, 2007 at 11:55:23AM +0200, P?l Cs?nyi wrote: > > SECTION NEW > > ACCEPT pptp fw icmp > > ACCEPT fw net tcp smtp > > DNAT net loc:192.168.1.100 tcp 80 > > DROP net fw udp 1026:1029 > > > > The port 25 is still closed from the internet. :(SECTION NEW ACCEPT pptp fw icmp ACCEPT net fw tcp smtp DNAT net loc:192.168.1.100 tcp 80 DROP net fw udp 1026:1029 The port 25 is still closed from the internet. Hmm.. -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
2007/8/2, Pál Csányi <csanyipal@gmail.com>:> 2007/8/2, Andrew Suffield <asuffield@suffields.me.uk>: > > On Thu, Aug 02, 2007 at 11:55:23AM +0200, P?l Cs?nyi wrote: > > > SECTION NEW > > > ACCEPT pptp fw icmp > > > ACCEPT fw net tcp smtp > > > DNAT net loc:192.168.1.100 tcp 80 > > > DROP net fw udp 1026:1029 > > > > > > The port 25 is still closed from the internet. :( > > SECTION NEW > ACCEPT pptp fw icmp > ACCEPT net fw tcp smtp > DNAT net loc:192.168.1.100 tcp 80 > DROP net fw udp 1026:1029 > > The port 25 is still closed from the internet. Hmm..My mistake, sorry! The port 25 answers back, but is closed. Maybe just my exim4 config is wrong? -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
2007/8/2, Pál Csányi <csanyipal@gmail.com>:> 2007/8/2, Pál Csányi <csanyipal@gmail.com>: > > 2007/8/2, Andrew Suffield <asuffield@suffields.me.uk>: > > > On Thu, Aug 02, 2007 at 11:55:23AM +0200, P?l Cs?nyi wrote: > > > > SECTION NEW > > > > ACCEPT pptp fw icmp > > > > ACCEPT fw net tcp smtp > > > > DNAT net loc:192.168.1.100 tcp 80 > > > > DROP net fw udp 1026:1029 > > > > > > > > The port 25 is still closed from the internet. :( > > > > SECTION NEW > > ACCEPT pptp fw icmp > > ACCEPT net fw tcp smtp > > DNAT net loc:192.168.1.100 tcp 80 > > DROP net fw udp 1026:1029 > > > > The port 25 is still closed from the internet. Hmm.. > > My mistake, sorry! > > The port 25 answers back, but is closed. > > Maybe just my exim4 config is wrong?I checked out and I think exim4 configuration is OK. But I checked out shorewall too, with shorewall clear! If I do shorewall clear on firewall, then i can''t to connect to the internet neither from the box that is behind my firewall, nor from the firewall! Can''t ping www.google.com from nowhere. But if I do shorewall start, then I can ping www.google.com, and everything is fine, except the opened port 25 that don''t answares to internet requests. What indicates this? -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Pál Csányi wrote:> 2007/8/2, Andrew Suffield <asuffield@suffields.me.uk>: >> On Thu, Aug 02, 2007 at 11:24:16AM +0200, P?l Cs?nyi wrote: >>> DNAT:debug net loc:192.168.1.10-192.168.1.98 tcp smtp >> Lay off the crack. I can''t imagine what you expected that to >> accomplish. > > OK > Now the rules are: > SECTION NEW > ACCEPT pptp fw icmp > ACCEPT fw net tcp smtp > DNAT net loc:192.168.1.100 tcp 80Didn''t you want port 25 there rather than 80?> DROP net fw udp 1026:1029 > > The port 25 is still closed from the internet. :( > > Any advices? >If you have further problems, please see the DNAT debugging tips in Shorewall FAQs 1a and 1b. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
---------- Forwarded message ---------- From: Pál Csányi <csanyipal@gmail.com> Date: 2007.08.02. 17:52 Subject: Re: [Shorewall-users] exim4 behind a firewall To: Tom Eastep <teastep@shorewall.net> 2007/8/2, Tom Eastep <teastep@shorewall.net>:> Pál Csányi wrote:> > DNAT net loc:192.168.1.100 tcp 80 > > Didn''t you want port 25 there rather than 80?No, this is for my web server, and this works fine, the port is open, and answers for the requests. Try http://csanyi-pal.info It''s in hungarian language yet.> > The port 25 is still closed from the internet. :( > > > > Any advices? > > > > If you have further problems, please see the DNAT debugging tips in > Shorewall FAQs 1a and 1b.rules: DNAT net loc:192.168.1.10-192.168.1.98:25 tcp 25 - 212.200.112.79 I tried now with masq: ppp0 eth1 212.200.112.79 No success. I red Shorewall FAQs 1a. ----------------------------------------- - I''m trying to test from inside my firewall: http://wigwam.sztaki.hu/varazslatok/port_teszt.shtml It''s in hungarian. You must to click on the button: WIGWAM - gyors tűzfalteszt that is in english: fast firewall test This site scan your ports and find out whether is the port open and answer for the queries. - on my desktop behind firewall: ifconfig eth1 Link encap:Ethernet HWaddr **:**:**:**:**:** inet addr:192.168.1.98 Bcast:192.168.1.255 Mask:255.255.255.0 eth1 get his IP address with dhcp-client from the firewall. route -n Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 - I ask from my ISP that, that he opens for me the ports 80 & 25, and he was opened these ports for me. - I''m running Debian GNU/Linux Etch I red Shorewall FAQs 1b. ----------------------------------------- iptables -t nat -Z With: http://wigwam.sztaki.hu/varazslatok/tamadas.shtml I attack my own port 25: Szimulált támadás szabadon választott porton: PORT: 25 TÁMADJ MEG! This is a simulated attacking for my port 25. sudo shorewall show nat ................................... Shorewall-3.2.6 NAT Table at debian-tuzfal - 2007. aug. 2., csütörtök, 17.38.52 CEST Counters reset 2007. aug. 2., csütörtök, 16.58.56 CEST Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 212.200.112.79 tcp dpt:25 to:192.168.1.10-192.168.1.98:25 .................................. Tthe packet count is zero: - my ISP dosn''t block the port 25 for me. - my firewall has 3 interfaces: eth0 (to the internet) eth1 (to the subnet) ppp0 (pptp-linux for VPN tunnel to my ISP) Because I must use pptp-linux to connect to my ISP, for that I use the ppp0 interface. The simulated attack can use only the ppp0 interface to connect to port 25. - My DNAT rule doesn''t match the connection request in some other way. How can I use tcpdump to further diagnose the problem? -- Regards, Paul -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Pál Csányi wrote:> ---------- Forwarded message ---------- > From: Pál Csányi <csanyipal@gmail.com> > Date: 2007.08.02. 17:52 > Subject: Re: [Shorewall-users] exim4 behind a firewall > To: Tom Eastep <teastep@shorewall.net> > > > 2007/8/2, Tom Eastep <teastep@shorewall.net>: >> Pál Csányi wrote: > >>> DNAT net loc:192.168.1.100 tcp 80 >> Didn''t you want port 25 there rather than 80? > > No, this is for my web server, and this works fine, the port is open, and > answers for the requests. Try http://csanyi-pal.infoThe reason that I asked is that the post that I was replying to had NO DNAT rule for smtp.> It''s in hungarian language yet. > >>> The port 25 is still closed from the internet. :( >>>> rules: > DNAT net loc:192.168.1.10-192.168.1.98:25 tcp 25 - > 212.200.112.79Why are you specifying a range of IP addresses? Are you running 89 smtp servers? You should only be specifying the IP address of the system where exim is running (192.168.1.98).> > I tried now with masq: > ppp0 eth1 212.200.112.79 > > No success.If you want us to comment on that entry, we need to see the entire configuration. Please follow the instructions at http://www.shorewall.net/support.htm#Guidelines.> > I red Shorewall FAQs 1a. > ----------------------------------------- > - I''m trying to test from inside my firewall: > http://wigwam.sztaki.hu/varazslatok/port_teszt.shtml > It''s in hungarian. You must to click on the button: > WIGWAM - gyors tűzfalteszt > > that is in english: fast firewall test > > This site scan your ports and find out whether is the port open and > answer for the queries. > > - on my desktop behind firewall: > ifconfig > eth1 Link encap:Ethernet HWaddr **:**:**:**:**:** > inet addr:192.168.1.98 Bcast:192.168.1.255 Mask:255.255.255.0 > eth1 get his IP address with dhcp-client from the firewall. > route -n > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 > > - I ask from my ISP that, that he opens for me the ports 80 & 25, and > he was opened these ports for me. > > - I''m running Debian GNU/Linux Etch > > I red Shorewall FAQs 1b. > ----------------------------------------- > iptables -t nat -Z > With: http://wigwam.sztaki.hu/varazslatok/tamadas.shtml > I attack my own port 25: > Szimulált támadás szabadon választott porton: > PORT: 25 TÁMADJ MEG! > > This is a simulated attacking for my port 25. > > sudo shorewall show nat > ................................... > Shorewall-3.2.6 NAT Table at debian-tuzfal - 2007. aug. 2., > csütörtök, 17.38.52 CEST > > Counters reset 2007. aug. 2., csütörtök, 16.58.56 CEST > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 212.200.112.79 tcp dpt:25 to:192.168.1.10-192.168.1.98:25 > ..................................> Because I must use pptp-linux to connect to my ISP, for that I use the > ppp0 interface. The simulated attack can use only the ppp0 interface > to connect to port 25. > - My DNAT rule doesn''t match the connection request in some other way.We are still not seeing enough here to tell what is going on (other than your DNAT rule is clearly wrong).> How can I use tcpdump to further diagnose the problem?tcpdump -ni ppp0 port 25 Then try to connect to port 25 from the net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
2007/8/2, Tom Eastep <teastep@shorewall.net>:> >> Pál Csányi wrote:> > It''s in hungarian language yet. > > > >>> The port 25 is still closed from the internet. :( > >>> > > > rules: > > DNAT net loc:192.168.1.10-192.168.1.98:25 tcp 25 - > > 212.200.112.79 > > Why are you specifying a range of IP addresses? Are you running 89 smtp > servers? You should only be specifying the IP address of the system where > exim is running (192.168.1.98).Because my firewall run a dhcp server and give IP addresses for the subnet systems. How can I know in this case which IP adrress will be assigned to desktop machine?> > I tried now with masq: > > ppp0 eth1 212.200.112.79 > > > > No success. > > If you want us to comment on that entry, we need to see the entire > configuration. Please follow the instructions at > http://www.shorewall.net/support.htm#Guidelines.3.a. Yes, Shorewall Started Successfully. 3.b. Connection or Traffic Shaping Problem(s)? I think this is a Traffic Problem. 3.c. #/sbin/shorewall dump > /tmp/status.txt 3.d. Post attachment compressed with bzip2. 3.e. My public IP address is 212.200.112.79 with FQDN: csanyi-pal.info My firewall has 3 interfaces: eth0 - internet eth1 - localnet ppp0 - for the pptp VPN tunnel to my ISP. I can''t to send mail to mailing lists from my desktop box that is behind firewall, because the remote mailservers can''t reach my exim4 for communications (helo - ehlo). This desktop box get dinamic IP address from the firewall, usually 192.168.1.98 I can to browse the internet with Mozilla Firefox.> > - My DNAT rule doesn''t match the connection request in some other way. >> We are still not seeing enough here to tell what is going on (other than > your DNAT rule is clearly wrong). > > > How can I use tcpdump to further diagnose the problem? > > tcpdump -ni ppp0 port 25 > > Then try to connect to port 25 from the net.I use for that connect from the internet the simulated attacking mentioned before. Is this right? I haven''t any other opportunity to do that. sudo tcpdump -vv -ni ppp0 port 25 --------------------------------------------------------- tcpdump: listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 18:23:54.623436 IP (tos 0x0, ttl 17, id 38548, offset 0, flags [none], proto: UDP (17), length: 38) 195.70.57.5.44458 > 212.200.112.79.25: [udp sum ok] UDP, length 10 18:24:07.007821 IP (tos 0x0, ttl 52, id 42290, offset 0, flags [none], proto: TCP (6), length: 60) 64.233.184.231.40553 > 212.200.112.79.25: S, cksum 0x4056 (correct), 2204265014:2204265014(0) win 5720 <mss 900,sackOK,timestamp 259463438 0,nop,wscale 0> 18:24:10.035117 IP (tos 0x0, ttl 53, id 42291, offset 0, flags [none], proto: TCP (6), length: 60) 64.233.184.231.40553 > 212.200.112.79.25: S, cksum 0x3f2a (correct), 2204265014:2204265014(0) win 5720 <mss 900,sackOK,timestamp 259463738 0,nop,wscale 0> 18:24:15.996353 IP (tos 0x0, ttl 53, id 42292, offset 0, flags [none], proto: TCP (6), length: 60) 64.233.184.231.40553 > 212.200.112.79.25: S, cksum 0x3cd2 (correct), 2204265014:2204265014(0) win 5720 <mss 900,sackOK,timestamp 259464338 0,nop,wscale 0> 18:24:39.996570 IP (tos 0x0, ttl 53, id 42293, offset 0, flags [none], proto: TCP (6), length: 60) 64.233.184.231.40553 > 212.200.112.79.25: S, cksum 0x3372 (correct), 2204265014:2204265014(0) win 5720 <mss 900,sackOK,timestamp 259466738 0,nop,wscale 0> 5 packets captured 5 packets received by filter 0 packets dropped by kernel I hope this help to solve my problem with your help. -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Pál Csányi wrote:> 2007/8/2, Tom Eastep <teastep@shorewall.net>:>> Why are you specifying a range of IP addresses? Are you running 89 smtp >> servers? You should only be specifying the IP address of the system where >> exim is running (192.168.1.98). > > Because my firewall run a dhcp server and give IP addresses for the subnet > systems. How can I know in this case which IP adrress will be assigned to > desktop machine?You configure your DHCP server to always give the desktop the same IP address (by specifying the desktop''s MAC address in the configuration). Almost 8 hours ago, Andrew Suffield told you that the rule was wrong and you are still using it. You can leave it there for another 8 years and it still won''t work. To repeat: The rule needs to specify the the address of the desktop and *only* the address of the desktop.> > 3.a. Yes, Shorewall Started Successfully. > 3.b. Connection or Traffic Shaping Problem(s)? > I think this is a Traffic Problem. > 3.c. #/sbin/shorewall dump > /tmp/status.txt > 3.d. Post attachment compressed with bzip2. > 3.e. My public IP address is 212.200.112.79 with FQDN: csanyi-pal.info > My firewall has 3 interfaces: > eth0 - internet > eth1 - localnet > ppp0 - for the pptp VPN tunnel to my ISP. > > I can''t to send mail to mailing lists from my desktop box that is > behind firewall, because the remote mailservers can''t reach my exim4 > for communications (helo - ehlo). > > This desktop box get dinamic IP address from the firewall, usually 192.168.1.98Again, that will never work.> > I hope this help to solve my problem with your help. >Fix your DHCP configuration and fix the DNAT rule and it will work. That is assuming that the Exim server is listening on address 0.0.0.0 and not 127.0.0.1 (many packages configure the server to listen only for local traffic). Use "netstat -tnap" to see which local IP address exim is bound to. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
2007/8/2, Tom Eastep <teastep@shorewall.net>:> Pál Csányi wrote:> Almost 8 hours ago, Andrew Suffield told you that the rule was wrong and you > are still using it. You can leave it there for another 8 years and it still > won''t work. > > To repeat: The rule needs to specify the the address of the desktop and > *only* the address of the desktop.DNAT net loc:192.168.1.98 tcp 25> Fix your DHCP configuration and fix the DNAT rule and it will work.host csanyi-pal.info { hardware ethernet **:**:*:**:**:**; fixed-address 192.168.1.98; }> That is assuming that the Exim server is listening on address 0.0.0.0 and > not 127.0.0.1 (many packages configure the server to listen only for local > traffic).I did it. :)> Use "netstat -tnap" to see which local IP address exim is bound to.Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN *****/exim4 WIGWAM test says: The port 25 is open and answers to the requests! Thank you Tom, and all of you! :) -- Regards, Paul ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/