Pál Csányi wrote: > ---------- Forwarded message ---------- > From: Pál Csányi <[EMAIL PROTECTED]> > Date: 2007.08.02. 17:52 > Subject: Re: [Shorewall-users] exim4 behind a firewall > To: Tom Eastep <[EMAIL PROTECTED]> > > > 2007/8/2, Tom Eastep <[EMAIL PROTECTED]>: >> Pál Csányi wrote: > >>> DNAT net loc:192.168.1.100 tcp 80 >> Didn't you want port 25 there rather than 80? > > No, this is for my web server, and this works fine, the port is open, and > answers for the requests. Try http://csanyi-pal.info
The reason that I asked is that the post that I was replying to had NO DNAT rule for smtp. > It's in hungarian language yet. > >>> The port 25 is still closed from the internet. :( >>> > rules: > DNAT net loc:192.168.1.10-192.168.1.98:25 tcp 25 - > 212.200.112.79 Why are you specifying a range of IP addresses? Are you running 89 smtp servers? You should only be specifying the IP address of the system where exim is running (192.168.1.98). > > I tried now with masq: > ppp0 eth1 212.200.112.79 > > No success. If you want us to comment on that entry, we need to see the entire configuration. Please follow the instructions at http://www.shorewall.net/support.htm#Guidelines. > > I red Shorewall FAQs 1a. > ----------------------------------------- > - I'm trying to test from inside my firewall: > http://wigwam.sztaki.hu/varazslatok/port_teszt.shtml > It's in hungarian. You must to click on the button: > WIGWAM - gyors tűzfalteszt > > that is in english: fast firewall test > > This site scan your ports and find out whether is the port open and > answer for the queries. > > - on my desktop behind firewall: > ifconfig > eth1 Link encap:Ethernet HWaddr **:**:**:**:**:** > inet addr:192.168.1.98 Bcast:192.168.1.255 Mask:255.255.255.0 > eth1 get his IP address with dhcp-client from the firewall. > route -n > Destination Gateway Genmask Flags Metric Ref Use Iface > 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 > 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 > > - I ask from my ISP that, that he opens for me the ports 80 & 25, and > he was opened these ports for me. > > - I'm running Debian GNU/Linux Etch > > I red Shorewall FAQs 1b. > ----------------------------------------- > iptables -t nat -Z > With: http://wigwam.sztaki.hu/varazslatok/tamadas.shtml > I attack my own port 25: > Szimulált támadás szabadon választott porton: > PORT: 25 TÁMADJ MEG! > > This is a simulated attacking for my port 25. > > sudo shorewall show nat > ................................... > Shorewall-3.2.6 NAT Table at debian-tuzfal - 2007. aug. 2., > csütörtök, 17.38.52 CEST > > Counters reset 2007. aug. 2., csütörtök, 16.58.56 CEST > > Chain net_dnat (1 references) > pkts bytes target prot opt in out source > destination > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 212.200.112.79 tcp dpt:25 to:192.168.1.10-192.168.1.98:25 > .................................. > Because I must use pptp-linux to connect to my ISP, for that I use the > ppp0 interface. The simulated attack can use only the ppp0 interface > to connect to port 25. > - My DNAT rule doesn't match the connection request in some other way. We are still not seeing enough here to tell what is going on (other than your DNAT rule is clearly wrong). > How can I use tcpdump to further diagnose the problem? tcpdump -ni ppp0 port 25 Then try to connect to port 25 from the net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
