Jon wrote: > > I am attempting to DNAT a myriad of requests through the Shorewall > firewall to a local machine. The firewall has two NICs where eth1 is an > internal 10.0.50.10 and eth0 is an external to the ISP.
You have exactly one DNAT rule -- for port 25. > > The machine I am trying to DNAT to is 10.0.50.50 and I wish to DNAT > smtp, http, https, pop3, imap, and imaps all on their standard ports. > > The quirky thing is that if I configure Shorewall to DNAT from a > non-standard port on the firewall to a standard port on the local > machine, everything works. For example, if I configure the firewall to > listen on port 26 and send those requests to port 25 on the local > machine, that works and I can send mail. What do you mean by "listen on port 26"? Are you just describing a DNAT rule that rewrites the destination port number? > > However, using standard ports fail. For example, configuring the > firewall to accept all connections and then just route them to the local > machine on the originating port fails. Your terminology is wrong. In the context of your problem, Shorewall has nothing to do with routing. Shorewall directs Netfilter to rewrite the destination IP address (and/or destination port number) on certain incoming packets -- that's all it does. > Likewise, rules specifying > standard ports (like configuring the firewall to accept requests on port > 25 and specifically route them to the local machine on port 25) also fail. Again, Shorewall can configure Netfilter to rewrite addresses and port numbers -- the only two times that Shorewall affects routing are a) If you use /etc/shorewall/proxyarp and specify No in the HAVEROUTE column; and b) If you have entries in /etc/shorewall/providers. > > I see in the syslog that requests make it through the firewall with the > appropriate dnat_net notation in the log so it appears to be a matter of > the traffic not coming back out. > > I have attempted to tcpdump the interface, but my skills are somewhat > rudimentary in this area. Both successful non-standard port and > unsuccessful standard port conversations look the same to me. You are certainly handicapped when trying to run a Unix-based router/gateway/firewall when you aren't familiar with the basic diagnostic tools of the platform. > > I'm really not sure if this is a Shorewall issue -in fact, I somehow > doubt it is. However, I have spent several days on this already and I am > totally out of ideas at this point. > > Any and all help is appreciated. > One odd thing that I notice is that you are attempting to test from host 161.184.172.35 which is in the 'admin' zone rather than in the 'net' zone (which is what your DNAT rule specifies). While I don't see where that should make a material difference give that the admin->loc policy is ACCEPT, it indicates that you apparently don't have a crisp idea of what you are testing. I also notice that host 161.184.172.35 appears to be included twice in the 'admin' zone. Another odd thing about your config is that while the admin->loc policy is ACCEPT, you also have ACCEPT admin->loc rules!!?? What I suggest that you try is: a) On the firewall system, "tcpdump -nvvi eth0 host 61.184.172.35 and port 25". b) From 61.184.172.35, "telnet 137.186.135.69 25". Are you seeing response packets? Do they have the correct checksum (tcpdump will complain if they don't). Do they have the correct Source IP (137.186.135.69)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
