Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] Reverse masquerade one IP ...
- From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
- Date: Wed, 14 Nov 2001 07:01:53 +0100
- Message-id: <96C102324EF9D411A49500306E06C8D1A56C03@xxxxxxxxxxxxxxxxx>
Ray,
sorry for having been a little harsh in my other mail, I see you've set up
some rules yourself already.
> These are the rules I have to get mail to work (or not work) ...
>
> # Masquerade internal networks
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
>
Hmm, I don't use the MASQUERADE target, but rather -j SNAT --to <new source
address>. Have you tried that?
You do know that you're allowing access to everything on the Internet with
these rules (if you couple them with corresponding rules from the other
chains).
> #### allow smtp and pop3
> # allow internet pop3 to mail server - reverse masq $IP_INET_MAIL:110 to
> $IP_INT_MAIL:110
> $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL
> --dport 110 -j
> DNAT --to-destination $IP_INT_MAIL
> $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 110 -d $NET_DMZ -j
> ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --sport 110 -d $NET_INT -j
> ACCEPT
> $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --dport 113 -d $IP_INET -j ACCEPT
> $IPTABLES -A OUTPUT -o $IFACE_DMZ -p tcp --sport 113 -d $IP_INT_MAIL -j
> ACCEPT
> # allow internet smtp to mail server - reverse masq $IP_INET_MAIL:25 to
> $IP_INT_MAIL:25
> $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL
> --dport 25 -j
> DNAT --to-destination $IP_INT_MAIL
> $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 25 -d $NET_DMZ -j ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --dport 25 -j ACCEPT
>
> This is the problem :
>
> Mail gets delivered to the mail server from the client. The client is
> configured to
> send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is
> working.
>
> The mail server (on $IP_INT_MAIL) tries to contact another mail server
> (mail.knowledgefactory.co.za) and times out with an entry in the mail log
> file in
> /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
>
> There are no dropped packets on the firewall.
>
> My firewall script also contains these rules to log any packets that reach
> the end
> of the chain:
>
> # drop MS broadcasts
> $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP
> $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP
> $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP
> $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
>
> # log any packets that reach the end
> $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL:
> "
> $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD
> INTERNAL: "
> $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT
> INTERNAL: "
> $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: "
> $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ:
> "
> $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: "
> $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: "
> $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD
> INET: "
> $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET:
> "
>
>
> Any ideas?
>
Is the DNS lookup of mail.knowledgefactory.co.za successful?
> I don't want to setup pop3 and smtp proxies on my firewall ...
>
You should consider setting those up in your DMZ, though, really.
Cheers,
Tobias
sorry for having been a little harsh in my other mail, I see you've set up
some rules yourself already.
> These are the rules I have to get mail to work (or not work) ...
>
> # Masquerade internal networks
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
>
Hmm, I don't use the MASQUERADE target, but rather -j SNAT --to <new source
address>. Have you tried that?
You do know that you're allowing access to everything on the Internet with
these rules (if you couple them with corresponding rules from the other
chains).
> #### allow smtp and pop3
> # allow internet pop3 to mail server - reverse masq $IP_INET_MAIL:110 to
> $IP_INT_MAIL:110
> $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL
> --dport 110 -j
> DNAT --to-destination $IP_INT_MAIL
> $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 110 -d $NET_DMZ -j
> ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --sport 110 -d $NET_INT -j
> ACCEPT
> $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --dport 113 -d $IP_INET -j ACCEPT
> $IPTABLES -A OUTPUT -o $IFACE_DMZ -p tcp --sport 113 -d $IP_INT_MAIL -j
> ACCEPT
> # allow internet smtp to mail server - reverse masq $IP_INET_MAIL:25 to
> $IP_INT_MAIL:25
> $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL
> --dport 25 -j
> DNAT --to-destination $IP_INT_MAIL
> $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 25 -d $NET_DMZ -j ACCEPT
> $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --dport 25 -j ACCEPT
>
> This is the problem :
>
> Mail gets delivered to the mail server from the client. The client is
> configured to
> send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is
> working.
>
> The mail server (on $IP_INT_MAIL) tries to contact another mail server
> (mail.knowledgefactory.co.za) and times out with an entry in the mail log
> file in
> /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
>
> There are no dropped packets on the firewall.
>
> My firewall script also contains these rules to log any packets that reach
> the end
> of the chain:
>
> # drop MS broadcasts
> $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP
> $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP
> $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP
> $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
>
> # log any packets that reach the end
> $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL:
> "
> $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD
> INTERNAL: "
> $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT
> INTERNAL: "
> $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: "
> $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ:
> "
> $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: "
> $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: "
> $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD
> INET: "
> $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET:
> "
>
>
> Any ideas?
>
Is the DNS lookup of mail.knowledgefactory.co.za successful?
> I don't want to setup pop3 and smtp proxies on my firewall ...
>
You should consider setting those up in your DMZ, though, really.
Cheers,
Tobias
| < Previous | Next > |