Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] Reverse masquerade one IP ...
- From: Ray Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 14 Nov 2001 09:48:35 +0200
- Message-id: <3BF221D2.C5D79193@xxxxxxxxxxxxxxxxxxxxxx>
"Reckhard, Tobias" wrote:
> Ray,
>
> sorry for having been a little harsh in my other mail, I see you've set up
> some rules yourself already.
>
No problem.
>
> > These are the rules I have to get mail to work (or not work) ...
> >
> > # Masquerade internal networks
> > $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE
> > $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
> >
> Hmm, I don't use the MASQUERADE target, but rather -j SNAT --to <new source
> address>. Have you tried that?
>
I have since opted to not use SNAT or MASQUERADE, but to only allow access to
the net via a proxy.
>
> You do know that you're allowing access to everything on the Internet with
> these rules (if you couple them with corresponding rules from the other
> chains).
>
My default chain policy is set to drop. If I don't have INPUT,FORWARD and OUTPUT
rules then nobody can do anything from the DMZ or internal networks.
>
> > #### allow smtp and pop3
<snip><snip>
>
> > This is the problem :
> >
> > Mail gets delivered to the mail server from the client. The client is
> > configured to
> > send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is
> > working.
> >
> > The mail server (on $IP_INT_MAIL) tries to contact another mail server
> > (mail.knowledgefactory.co.za) and times out with an entry in the mail log
> > file in
> > /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
> >
> > There are no dropped packets on the firewall.
> >
> > My firewall script also contains these rules to log any packets that reach
> > the end
> > of the chain:
> >
> > # drop MS broadcasts
> > $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP
> > $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP
> > $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP
> > $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
> >
> > # log any packets that reach the end
> > $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL:
> > "
> > $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD
> > INTERNAL: "
> > $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT
> > INTERNAL: "
> > $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: "
> > $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ:
> > "
> > $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: "
> > $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: "
> > $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD
> > INET: "
> > $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET:
> > "
> >
<snip><snip>
>
> > Any ideas?
> >
> Is the DNS lookup of mail.knowledgefactory.co.za successful?
>
Yes, it resolves to and tries to contact 196.38.2.132
>
> > I don't want to setup pop3 and smtp proxies on my firewall ...
> >
> You should consider setting those up in your DMZ, though, really.
The proxy or the servers (smtp, pop3)?
>
> Cheers,
> Tobias
Ray
--
----------------------------------------------------------------------
Raymond Leach
Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007
eMail:raymondl@xxxxxxxxxxxxxxxxxxxxxx
www:http://www.knowledgefactory.co.za
"No matter where you go, there you are ..."
----------------------------------------------------------------------
| < Previous | Next > |