Hi, I''m trying to get transparent smtp to an internal smtp server (not running on the firewall) working with 4.0 (debian lenny). But can''t get it to work the way i want. I had it working with my old iptables script with the following rules: #iptables -A FORWARD -p tcp -d 192.168.x.21 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -t nat -A PREROUTING -i ! eth1 -p tcp -s ! 192.168.x.21 -d 0/0 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.x.21:25 I tried the squid trick using providers/tcrules but when trying to connect from a client i get: No route to host providers: smtptest 1 202 - eth0 192.168.x.21 loose tcrules: 202:P eth0:!192.168.x.21 0.0.0.0/0 tcp 25 interfaces: loc eth0 detect routeback client connection: telnet x.x.x.x 25 Trying x.x.x.x... telnet: Unable to connect to remote host: No route to host Also i tried the FAQ 2 trick. That does work however the smtp server logs the connections as coming from the firewall. For logging purposes i want the real client ip logged. masq: eth0:192.168.x.21 eth0 192.168.x.1 tcp smtp rules: DNAT loc:!192.168.x.21 loc:192.168.x.21:25 tcp smtp I then tried with only the rule in the rules file This does seem to get the connection to the right server as seen by ippl. But no real connection is established. Telnet keeps trying and ippl keeps logging connection attempts. I tried playing around with SAME: and nodst: in the address column in the masq file, but can''t seem to get the syntax right. I noticed newer shorewall versions support the use of NONAT in that column. I guess that''s what i need. Do i have to upgrade to a newer version of shorewall or am i doing it all wrong ? ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
On Thu, Nov 19, 2009 at 02:55:20PM +0100, Lex Jonkers wrote:> > I tried the squid trick using providers/tcrules but when trying to connect > from a client i get: No route to host >That is a misapplication of the squid trick.> > Also i tried the FAQ 2 trick. That does work however the smtp server logs > the connections as coming from the firewall. For logging purposes i want > the real client ip logged. >In that case, it sounds like what you really want is one of two things: 1. just directly give the SMTP server a public IP OR 2. set aside a public IP and use SNAT (a.k.a one-to-one NAT) Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Lex Jonkers wrote:> Hi, > > I''m trying to get transparent smtp to an internal smtp server (not running > on the firewall) working with 4.0 (debian lenny). But can''t get it to work > the way i want. I had it working with my old iptables script with the > following rules: > #iptables -A FORWARD -p tcp -d 192.168.x.21 --dport 25 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > #iptables -t nat -A PREROUTING -i ! eth1 -p tcp -s ! 192.168.x.21 -d 0/0 > --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to > 192.168.x.21:25I find it hard to believe you when you say that those rules worked. Here''s why... Let''s say that 192.168.x.44 attempts to connect to TCP port 25 on 206.124.146.177. Your rules would rewrite the destination IP address to 192.168.x.21 and forward the connection back out of eth1. Server 192.168.x.21 would receive the SYN packet and respond with a SYN,ACK to 192.168.x.44. When 192.168.x.44 received that response it would simply discard the packet because the source IP address in the response is 192.168.x.21, not 206.124.146.177.> > > I tried the squid trick using providers/tcrules but when trying to connect > from a client i get: No route to hostDid you also configure a REDIRECT rule on 192.168.x.44?> > providers: > smtptest 1 202 - eth0 > 192.168.x.21 loose > > tcrules: > 202:P eth0:!192.168.x.21 0.0.0.0/0 tcp 25 > > interfaces: > loc eth0 detect routeback > > client connection: > telnet x.x.x.x 25 > Trying x.x.x.x... > telnet: Unable to connect to remote host: No route to hostI notice that you are using eth0 in that configuration whereas your original rules were redirecting back out of eth1. Did your IP configuration change?> > > Also i tried the FAQ 2 trick. That does work however the smtp server logs > the connections as coming from the firewall. For logging purposes i want > the real client ip logged.That is a documented side effect of that silly hack.> > masq: > eth0:192.168.x.21 eth0 192.168.x.1 > tcp smtp > > rules: > DNAT loc:!192.168.x.21 loc:192.168.x.21:25 tcp > smtp > > > I then tried with only the rule in the rules file > > This does seem to get the connection to the right server as seen by ippl. > But no real connection is established. > Telnet keeps trying and ippl keeps logging connection attempts.That rules file entry generates essentially the same two iptables rules that you claim worked! And they don''t work for exactly the reason that I described above.> > I tried playing around with SAME: and nodst: in the address column in the > masq file, but can''t seem to get the syntax right. I noticed newer > shorewall versions support the use of NONAT in that column. I guess that''s > what i need. > Do i have to upgrade to a newer version of shorewall or am i doing it all > wrong ?I know of no way to do what you want except to use the squid trick, including the REDIRECT rule on the SMTP server. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> Lex Jonkers wrote:> > I notice that you are using eth0 in that configuration whereas your > original rules were redirecting back out of eth1. Did your IP > configuration change? >Please disregard that question; I reread your rules and now see that you had ''-i ! eth1'' (which, BTW, is syntax that is deprecated in favor of ''! -i eth1''). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july