Hi people anybody can help me for mask the ip of my mail server? I have this schema: Virtual Mail Server ETH0: 192.168.10.24 GW: 192.168.10.1 Shorewall Firewall ETH0: 192.168.10.1 ETH1: 212.31.41.116 (IP ALIAS) and 212.31.41.88 When my mail server try to delivery an email to any external mail server (hotmail, gmail, ...) this external mail server watch the internal IP and refuse the mail because this is an internal IP. I need that the external server watch the IP 212.31.41.116 instead of 192.168.10.24. I use DNAT for any comupter watch the port 80, 25 and 110 from internet (using the 212.31.41.116 IP ADDRESS). This is possible? Thanks a lot Toni ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Roberto C. Sánchez
2009-Apr-14 21:05 UTC
Re: How to mask the internal ip of my mail server
On Tue, Apr 14, 2009 at 10:12:27PM +0200, Support CETEMMSA wrote:> > anybody can help me for mask the ip of my mail server? >Toni, 1. This is not a Shorewall problem/issue. 2. Why does this matter? IP addresses are not secret. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Roberto C. Sánchez wrote:>2. Why does this matter? IP addresses are not secret.The problem is that some mail servers are set up to be "quite picky" about such details and will refuse mail. The answer is to properly configure the mail server - I know Postfix has an option to configure what it reports itself as (I assume it''s the hostname given in the HELO handshake that''s the problem). -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Simon Hobson wrote:> Roberto C. Sánchez wrote: > >> 2. Why does this matter? IP addresses are not secret. > > The problem is that some mail servers are set up > to be "quite picky" about such details and will > refuse mail. > > The answer is to properly configure the mail > server - I know Postfix has an option to > configure what it reports itself as (I assume > it''s the hostname given in the HELO handshake > that''s the problem). >This is yet another case that illustrates why I much prefer Proxy ARP over NAT. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ5V0KO/MAbZfjDLIRAgCzAJ4hRXZ6ebfLcAjPrAbKpwtf9ohDawCfUmeL +/EwlgsxzX7JLZNt3qn3vSA=gcJK -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Tom Eastep wrote:>This is yet another case that illustrates why I much prefer Proxy ARP >over NAT.I think most of us would if we had the IPs available. <off topic> Roll on IPv6 eh ;-) Would sure cure some of the headaches I have at work, though I don''t fancy talking people through "open a command prompt and type ''ping ....''" But looking at the amount of kit on the market (and installed) that doesn''t do IPv6 (because the manufacturer doesn''t do it AT ALL), it''s not going to arrive in the mainstream any time soon. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Sorry for my ignorance but I think that is possible with iptables rules. I would mask all traffic from 192.168.10.24 to tcp port 25 with real ip in the firewall/gateway server. Is not possible? Thanks Toni -----Mensaje original----- De: Roberto C. Sánchez [mailto:roberto@connexer.com] Enviado el: martes, 14 de abril de 2009 23:05 Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] How to mask the internal ip of my mail server On Tue, Apr 14, 2009 at 10:12:27PM +0200, Support CETEMMSA wrote:> > anybody can help me for mask the ip of my mail server? >Toni, 1. This is not a Shorewall problem/issue. 2. Why does this matter? IP addresses are not secret. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
On Tuesday 14 April 2009 22:12:27 Support CETEMMSA wrote:> Virtual Mail Server > ETH0: 192.168.10.24 > GW: 192.168.10.1 > > Shorewall Firewall > ETH0: 192.168.10.1 > ETH1: 212.31.41.116 (IP ALIAS) and 212.31.41.88 > > When my mail server try to delivery an email to any external mail server > (hotmail, gmail, ...) this external mail server watch the internal IP and > refuse the mail because this is an internal IP. I need that the external > server watch the IP 212.31.41.116 instead of 192.168.10.24. I use DNAT for > any comupter watch the port 80, 25 and 110 from internet (using the > 212.31.41.116 IP ADDRESS).Mmmh sorry but I don''t think that you are experiencing problems with externals MTAs due to NAT, because your internal MTA is sending mails from a public IP address (I guess 212.31.41.88 which maybe is your default IP?), cause otherwise it wouldn''t simply work: remote MTA would have no chance to communicate with a reserved private address as 192.168.10.24 is. Anyway, maybe what you''re looking for is to edit /etc/shorewall/nat and put something like this: 212.31.41.116 eth0:0 192.168.10.24 yes which will NAT all the traffic from 192.168.10.24 to appear externally as being from 212.31.41.116, assuming eth0:0 is the alias you want. Obviously you have to open the communication with the correct rule in /etc/shorewall/rules HTH (and if I''m saying nonsenses, list please correct me, thanks :) -- Davide Ferrari Atrapalo.com System Administrator ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Support CETEMMSA wrote:>Sorry for my ignorance but I think that is possible with iptables rules. > >I would mask all traffic from 192.168.10.24 to tcp port 25 with real ip in >the firewall/gateway server. > >Is not possible?No, you''ve missed the point. The DNAT will take care of translating the source address of the outgoing packets & dest address of incoming packets - that''s not a problem. But mail programs will "chat" as part of the pre-amble to exchanging a message, and part of that preamble typically contains the host name (or IP address). I suspect the problem will be in the HELO clause, where one server says HELO to the other : $ telnet somemx.somedomain.com 25 Connected to somemx.somedomain.com. Escape character is ''^]''. 220 somemx.somedomain.com ESMTP Postfix (Debian/GNU) HELO somesender.somotherdomain.com 250 somemx.somedomain.com ... The hostname used by the recipient (somemx.somedomain.com in this example) will largely be ignored, but many receiving servers will do some sanity checks on the hostname given in the HELO statement (somesender.somotherdomain.com here). While technically there is no requirement for this to be anything specific, it is normally expected to be the hostname of the sending device as a FQDN, or at least it''s public IP address. It would not surprise me to find that people block mails from devices that identify themselves as an RFC1918 private address. A properly configured mail server should not do this, but a spam bot looking up it''s hostname in many networks is likely to do so. Postfix allows this to be set by putting "myhostname = somemx.somedomain.com" in /etc/postfix/main.cf. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
> -----Original Message----- > From: Davide Ferrari [mailto:davide.ferrari@atrapalo.com] > Sent: Wednesday, April 15, 2009 5:38 AM > To: Shorewall Users > Subject: Re: [Shorewall-users] How to mask the internal ip of my mail > server > > On Tuesday 14 April 2009 22:12:27 Support CETEMMSA wrote: > > Virtual Mail Server > > ETH0: 192.168.10.24 > > GW: 192.168.10.1 > > > > Shorewall Firewall > > ETH0: 192.168.10.1 > > ETH1: 212.31.41.116 (IP ALIAS) and 212.31.41.88 > > > > When my mail server try to delivery an email to any external mail > server > > (hotmail, gmail, ...) this external mail server watch the internal IP > and > > refuse the mail because this is an internal IP. I need that the > external > > server watch the IP 212.31.41.116 instead of 192.168.10.24. I use > DNAT for > > any comupter watch the port 80, 25 and 110 from internet (using the > > 212.31.41.116 IP ADDRESS). > > Mmmh sorry but I don''t think that you are experiencing problems with > externals > MTAs due to NAT, because your internal MTA is sending mails from a > public IP > address (I guess 212.31.41.88 which maybe is your default IP?), cause > otherwise it wouldn''t simply work: remote MTA would have no chance to > communicate with a reserved private address as 192.168.10.24 is. > > Anyway, maybe what you''re looking for is to edit /etc/shorewall/nat and > put > something like this: > > 212.31.41.116 eth0:0 192.168.10.24 yes > > which will NAT all the traffic from 192.168.10.24 to appear externally > as being > from 212.31.41.116, assuming eth0:0 is the alias you want. > Obviously you have to open the communication with the correct rule in > /etc/shorewall/rules > > HTH > (and if I''m saying nonsenses, list please correct me, thanks :) > > -- > Davide Ferrari > Atrapalo.com System Administrator >couple of things: Is real-world DNS resolving your external address, and does it hold an MX record? proxy-arp in this type of basic dual-nic mail server setup worked well for me. May want to read up on that. -C ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
> -----Original Message----- > From: Christopher Barry [mailto:christopher.barry@qlogic.com] > Sent: Wednesday, April 15, 2009 9:19 AM > To: Shorewall Users > Subject: Re: [Shorewall-users] How to mask the internal ip of my mail > server > > > -----Original Message----- > > From: Davide Ferrari [mailto:davide.ferrari@atrapalo.com] > > Sent: Wednesday, April 15, 2009 5:38 AM > > To: Shorewall Users > > Subject: Re: [Shorewall-users] How to mask the internal ip of my mail > > server > > > > On Tuesday 14 April 2009 22:12:27 Support CETEMMSA wrote: > > > Virtual Mail Server > > > ETH0: 192.168.10.24 > > > GW: 192.168.10.1 > > > > > > Shorewall Firewall > > > ETH0: 192.168.10.1 > > > ETH1: 212.31.41.116 (IP ALIAS) and 212.31.41.88 > > > > > > When my mail server try to delivery an email to any external mail > > server > > > (hotmail, gmail, ...) this external mail server watch the internal > IP > > and > > > refuse the mail because this is an internal IP. I need that the > > external > > > server watch the IP 212.31.41.116 instead of 192.168.10.24. I use > > DNAT for > > > any comupter watch the port 80, 25 and 110 from internet (using the > > > 212.31.41.116 IP ADDRESS). > > > > Mmmh sorry but I don''t think that you are experiencing problems with > > externals > > MTAs due to NAT, because your internal MTA is sending mails from a > > public IP > > address (I guess 212.31.41.88 which maybe is your default IP?), cause > > otherwise it wouldn''t simply work: remote MTA would have no chance to > > communicate with a reserved private address as 192.168.10.24 is. > > > > Anyway, maybe what you''re looking for is to edit /etc/shorewall/nat > and > > put > > something like this: > > > > 212.31.41.116 eth0:0 192.168.10.24 yes > > > > which will NAT all the traffic from 192.168.10.24 to appear > externally > > as being > > from 212.31.41.116, assuming eth0:0 is the alias you want. > > Obviously you have to open the communication with the correct rule in > > /etc/shorewall/rules > > > > HTH > > (and if I''m saying nonsenses, list please correct me, thanks :) > > > > -- > > Davide Ferrari > > Atrapalo.com System Administrator > > > > couple of things: > > Is real-world DNS resolving your external address, and does it hold an > MX record? > > proxy-arp in this type of basic dual-nic mail server setup worked well > for me. May want to read up on that. > > > -C > >ok verified #1 - that looks cool. someone else mentioned a config param in your MTA to tell it what it''s IP is. That''s probably the easiest thing. did you say what MTA you were using? good luck, -C ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Simon Hobson wrote:> Support CETEMMSA wrote: > >> Sorry for my ignorance but I think that is possible with iptables rules. >> >> I would mask all traffic from 192.168.10.24 to tcp port 25 with real ip in >> the firewall/gateway server. >> >> Is not possible? > > No, you''ve missed the point. The DNAT will take care of translating > the source address of the outgoing packets & dest address of incoming > packets - that''s not a problem.That''s actually the role of SNAT, not DNAT :-) But you are correct -- no communication with the net would be possible without an appropriate entry in /etc/shorewall/masq. If the firewall were really sending packets with an RFC 1918 source IP, when ANY remote server responded, the responses would go into the bit bucket. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com
Thanks a lot for your answers. I found the solution in the file masq. Thanks works ok but the mail servers rejects my emails because these use the internal IP of my server (I need to configure the SMTP for not use the internal ip). Thanks a lot Toni -----Mensaje original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviado el: miércoles, 15 de abril de 2009 16:13 Para: Shorewall Users Asunto: Re: [Shorewall-users] How to mask the internal ip of my mail server Simon Hobson wrote:> Support CETEMMSA wrote: > >> Sorry for my ignorance but I think that is possible with iptables rules. >> >> I would mask all traffic from 192.168.10.24 to tcp port 25 with real ipin>> the firewall/gateway server. >> >> Is not possible? > > No, you''ve missed the point. The DNAT will take care of translating > the source address of the outgoing packets & dest address of incoming > packets - that''s not a problem.That''s actually the role of SNAT, not DNAT :-) But you are correct -- no communication with the net would be possible without an appropriate entry in /etc/shorewall/masq. If the firewall were really sending packets with an RFC 1918 source IP, when ANY remote server responded, the responses would go into the bit bucket. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com