surfer@emailengine.net
2014-Jul-15 00:25 UTC
Shorewall config for Mailserver-on-LAN , over a VPN to staticIPs on a VPS?
Hi I've been having a heck of a time getting this straight, and could use a hand. Any help would be appreciated! I have a hosted VPS that's connected to my home/ofc over a VPN. The VPN endpoint boxes are the VPS and my home/ofc firewall. Both boxes are running Shorewall. And, I have a mail server on another machine on my home/ofc's lan. I've got all simple pinging/communication between machines/lan across the VPN like I need. I need to get the firewall rules working, especially DNAT & masq, for the mailserver Here's a diagram of what I've got in place --------------------- (1) VPS + Shorewall firewall eth0: A.A.A.1/32 B.B.B.1/32 C.C.C.1/32 tun0: 172.20.0.1/24 loc: 192.168.0.1/24 --------------------- | | --------------------- (2) HOME/OFC FIREWALL + Shorewall firewall eth0: D.D.D.2/29 eth1: 192.168.1.2/24 tun0: 172.20.0.2/24 loc: 127.0.0.1/8 --------------------- | | --------------------- (3) HOME/OFC LAN MAILSERVER eth0: 192.168.1.50/24 loc: 127.0.0.1/8 --------------------- I need to (1) open the VPS's port 25 to the net (2) translate the inbound traffic from the net to the mail server (3) translate the mailserver's outbound mail traffic to appear to only/always originate from A.A.A.1 To do that, following Shorewall docs as best as I could, I set up this config Shorewall @ VPS /zones #ZONE TYPE OPTIONS fw firewall net ipv4 loc ipv4 vpn1 ipv4 /interfaces #ZONE INTERFACE OPTIONS net eth0 tcpflags,routefilter=1 loc lo - tun+ - /hosts #ZONE HOST(S) OPTIONS vpn1 tun+:172.20.0.0/24 /rules ?SECTION NEW ... DNAT net loc:192.168.0.1/24 tcp 25,587 - A.A.A.1 ... Shorewall @ HOME/OFC FIREWALL /zones #ZONE TYPE OPTIONS fw firewall net ipv4 int ipv4 loc ipv4 vpn1 ipv4 /interfaces #ZONE INTERFACE OPTIONS net eth0 tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0 int eth1 logmartians=1,routefilter=1 loc lo - tun+ - /hosts #ZONE HOST(S) OPTIONS vpn1 tun+:172.20.0.0/24 /masq #INTFC:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP eth0 192.168.1.50 A.A.A.1 tcp 25,587 When I compile the firewalls I get no errors. But after reloading the firewalls, if I try to telnet in from an external site (IP = X.X.X.15), I get telnet -4 A.A.A.1 25 Trying A.A.A.1... and no farther. Just sits there :-/ a tcpdump on the VPS's external interface is seeing the traffic inbound tcpdump -i eth0 -vvv -n | egrep "A.A.A.1" tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes X.X.X.15.58202 > A.A.A.1.25: Flags [S], cksum 0x576f (correct), seq 2016956801, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 1 ecr 0], length 0 X.X.X.15.58202 > A.A.A.1.25: Flags [S], cksum 0x5763 (correct), seq 2016956801, win 32768, options [mss 1460,nop,wscale 3,sackOK,nop,nop,nop,nop,TS val 13 ecr 0], length 0 I must have missed something in the setup. :-/ Any help here? How to I get this traffic INBOUND, over the VPN and to/from the mailserver? Cheers, Jerry ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds