Reverse masquerade one IP ...
Hi Is it possible to reverse masq just one IP in a subnet? I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server. Ray -- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
Ray Leach wrote:
Hi
Is it possible to reverse masq just one IP in a subnet?
I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server.
Like that: iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to $MAILSERVERIP -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi What would be the reverse of this rule? Sven Michels wrote:
Ray Leach wrote:
Hi
Is it possible to reverse masq just one IP in a subnet?
I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server.
Like that: iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to $MAILSERVERIP
iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT --to-source $WORLD_IP
-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
-- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
Ray Leach wrote:
Hi
What would be the reverse of this rule?
Sven Michels wrote:
Ray Leach wrote:
Hi
Is it possible to reverse masq just one IP in a subnet?
I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server.
Like that: iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to $MAILSERVERIP
iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT --to-source $WORLD_IP
you don't need a reverse rule. The server need to have the default gw set to the maschine where you used the iptables. it rewrites only the destination in the packet. source is the same. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Sven Michels wrote:
Ray Leach wrote:
Hi
What would be the reverse of this rule?
Sven Michels wrote:
Ray Leach wrote:
Hi
Is it possible to reverse masq just one IP in a subnet?
I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server.
Like that: iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to $MAILSERVERIP
iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT --to-source $WORLD_IP
you don't need a reverse rule. The server need to have the default gw set to the maschine where you used the iptables. it rewrites only the destination in the packet. source is the same.
i was wrong ;) you need a masq rule... normal masquerading like for other connections (if you don't masql all traffic which is leaving your wall thru $WORLD_DEV -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi These are the rules I have to get mail to work (or not work) ... # Masquerade internal networks $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE #### allow smtp and pop3 # allow internet pop3 to mail server - reverse masq $IP_INET_MAIL:110 to $IP_INT_MAIL:110 $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 110 -j DNAT --to-destination $IP_INT_MAIL $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 110 -d $NET_DMZ -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --sport 110 -d $NET_INT -j ACCEPT $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --dport 113 -d $IP_INET -j ACCEPT $IPTABLES -A OUTPUT -o $IFACE_DMZ -p tcp --sport 113 -d $IP_INT_MAIL -j ACCEPT # allow internet smtp to mail server - reverse masq $IP_INET_MAIL:25 to $IP_INT_MAIL:25 $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 25 -j DNAT --to-destination $IP_INT_MAIL $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 25 -d $NET_DMZ -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --dport 25 -j ACCEPT This is the problem : Mail gets delivered to the mail server from the client. The client is configured to send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is working. The mail server (on $IP_INT_MAIL) tries to contact another mail server (mail.knowledgefactory.co.za) and times out with an entry in the mail log file in /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za." There are no dropped packets on the firewall. My firewall script also contains these rules to log any packets that reach the end of the chain: # drop MS broadcasts $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP # log any packets that reach the end $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL: " $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD INTERNAL: " $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT INTERNAL: " $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: " $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ: " $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: " $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: " $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD INET: " $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET: " Any ideas? I don't want to setup pop3 and smtp proxies on my firewall ... Ray Sven Michels wrote:
Sven Michels wrote:
Ray Leach wrote:
Hi
What would be the reverse of this rule?
Sven Michels wrote:
Ray Leach wrote:
Hi
Is it possible to reverse masq just one IP in a subnet?
I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server.
Like that: iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to $MAILSERVERIP
iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT --to-source $WORLD_IP
you don't need a reverse rule. The server need to have the default gw set to the maschine where you used the iptables. it rewrites only the destination in the packet. source is the same.
i was wrong ;) you need a masq rule... normal masquerading like for other connections (if you don't masql all traffic which is leaving your wall thru $WORLD_DEV
-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
Hello Just a little thing. Don't know if this solves your problem (think not) Reject port 113 (auth). Don't do deny or something but reject... The pop3 client won't wait for auth then... Rolf Ray Leach wrote:
Hi
These are the rules I have to get mail to work (or not work) ...
# Masquerade internal networks $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
#### allow smtp and pop3 # allow internet pop3 to mail server - reverse masq $IP_INET_MAIL:110 to $IP_INT_MAIL:110 $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 110 -j DNAT --to-destination $IP_INT_MAIL $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 110 -d $NET_DMZ -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --sport 110 -d $NET_INT -j ACCEPT $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --dport 113 -d $IP_INET -j ACCEPT $IPTABLES -A OUTPUT -o $IFACE_DMZ -p tcp --sport 113 -d $IP_INT_MAIL -j ACCEPT # allow internet smtp to mail server - reverse masq $IP_INET_MAIL:25 to $IP_INT_MAIL:25 $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 25 -j DNAT --to-destination $IP_INT_MAIL $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 25 -d $NET_DMZ -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --dport 25 -j ACCEPT
This is the problem :
Mail gets delivered to the mail server from the client. The client is configured to send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is working.
The mail server (on $IP_INT_MAIL) tries to contact another mail server (mail.knowledgefactory.co.za) and times out with an entry in the mail log file in /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
There are no dropped packets on the firewall.
My firewall script also contains these rules to log any packets that reach the end of the chain:
# drop MS broadcasts $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
# log any packets that reach the end $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL: " $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD INTERNAL: " $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT INTERNAL: " $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: " $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ: " $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: " $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: " $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD INET: " $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET: "
Any ideas?
I don't want to setup pop3 and smtp proxies on my firewall ...
Ray
Sven Michels wrote:
Sven Michels wrote:
Ray Leach wrote:
Hi
What would be the reverse of this rule?
Sven Michels wrote:
Ray Leach wrote:
Hi
Is it possible to reverse masq just one IP in a subnet?
I have a mail server on a private subnet and I want to reverse masq just the IP of the mail server.
Like that: iptables -A PREROUTING -t nat -p tcp --dport 25 -i $WORLD_DEV -j DNAT --to $MAILSERVERIP
iptables -A POSTROUTING -t nat -p tcp --sport 25 -o $DMZ_NET -j SNAT --to-source $WORLD_IP
you don't need a reverse rule. The server need to have the default gw set to the maschine where you used the iptables. it rewrites only the destination in the packet. source is the same.
i was wrong ;) you need a masq rule... normal masquerading like for other connections (if you don't masql all traffic which is leaving your wall thru $WORLD_DEV
-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------
participants (3)
-
Ray Leach
-
Rolf Klemenz
-
Sven Michels