[Shorewall-users] Problem with nat on a multiple isp configuration

Wed, 11 Apr 2012 01:33:17 -0700 

Dear list.

I have a working Multiple ISP configuration running on a debian etch box
with shorewall version 3.2.6-2 (I'll upgrade soon, I promise!)

My two internet uplinks (eth4 and ppp0) belongs to the same "net" zone.
Everything is working fine but I have a problem with natting.

Behind the firewall I have some services I want to be accessible from
outside, eg the SMTP server, which is listening on port 25/tcp on an
internal server.

Interfaces are like this:
net     eth4            detect          dhcp,blacklist,tcpflags
net     ppp0            detect          dhcp,blacklist,tcpflags
lan1    eth1            detect          arp_filter
lan2    eth2            detect          arp_filter
road    tun+

The problematic rule is this:
DNAT    net     lan1:<internal IP of my mail server>    tcp     25

If I try to nmap the port on the first public IP (which is routed to ppp0)
from an external server I get
# nmap -p 25 <public IP #1>

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-04-11 09:40
CEST
Interesting ports on  <public IP #1> :
PORT   STATE    SERVICE
25/tcp filtered smtp

Nmap finished: 1 IP address (1 host up) scanned in 6.887 seconds

On the firewall I can see (with tcpdump) packets coming thru ppp0
# tcpdump -i ppp0 dst port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
09:40:42.913240 IP <sourceIP>.62519 > <public IP #1>.smtp: S
2099963655:2099963655(0) win 3072 <mss 1452>
09:40:43.016305 IP  <sourceIP> .62520 >  <public IP #1> .smtp: S
2100029190:2100029190(0) win 1024 <mss 1452>

If I try the same with the other public IP (which is routed to eth4) I get
# nmap -p 25 <public IP #2>

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-04-11 09:48
CEST
Interesting ports on  <public IP #2> :
PORT   STATE SERVICE
25/tcp open  smtp

Nmap finished: 1 IP address (1 host up) scanned in 6.873 seconds


I really don't understand where is the fault. It doesn't seem to be a
routing problem so I'm asking your support. Please ask if you need
additional elements to diagnose.


Thanks.
Alessandro

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to