Chris Low wrote:
Apologies for the typo in my previous messages. My two problems haven't gone away--1) Exchange server is not receiving internet email and 2) workstations cannot browse the web. I'm thinking my first problem is related to Doug's problem under the recent headers: Dachstein Port Forwarding, but since I'm not a trained Exchange Sysadmin like he is I'm in need of more specific how-to help. Here's the current setup:This is a big problem. In the context above, the IP address represents the source IP's allowed to connect, which you have limited to the IP of your external interface. Replace the above with:
T-1 line in
|
|
ISP's router (external IP: 208.57.96.254; internal IP: 192.168.1.1)
|
|
Firewall (external IP: 192.168.1.2; internal IP: 10.10.10.254)
|
|
Exchange Server (IP: 10.10.10.200, Gateway: 10.10.10.254)
The portfw module is loaded.
I made the following changes to network.conf:
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
#EXTERN_TCP_PORTS="216.171.153.128/25_ssh 0/0_www 0/0_1023"
EXTERN_TCP_PORTS="192.168.1.2_25"
EXTERN_TCP_PORTS="0/0_25"
to allow anyone on the internet to send you e-mail, and you'll probably have a lot better luck.
and
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# <protocol>_<local-ip>_<local-port>_<remote-ip>_<remote-port>
#INTERN_SERVERS="tcp_${EXTERN_IP}_ftp_192.168.1.1_ftp tcp_${EXTERN_IP}_smtp_192.168.1.1_smtp"
INTERN_SERVERS="tcp_$192.168.1.2_smtp_10.10.10.200_smtp"
This looks OK.
and CONFIG_DNS=YES and DOMAINS="private.network" #DNS0=127.0.0.1 DNS0=208.57.0.10 DNS1=208.57.0.11 Output of netstat -nr: Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
Looks good.
Output of ipchains -nvL:
Chain input (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark outsize source destination ports
<snip>
0 0 ACCEPT tcp ------ 0xFF 0x00 eth0 192.168.1.2 0.0.0.0/0 * -> 25Here's the rule allowing only your external IP to connect to the smtp port. Not suprisingly, no packets matched this rule.
<snip>
0 0 DENY all ----l- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 n/aThis is the last of the input rules for the external interface. Attempted connections to the smtp port should be hitting this rule and getting denied (and logged). The fact that there are no packets that match this rule at all means you have not blocked any packets with the default deny...either the box was on a very short amount of time, or you're on a really quite IP range and don't have any friends (or haven't updated your MX records yet :)
<snip>
This looks OK, assuming 208.57.0.10 is your ISP's DNS server. The domain-name-servers option should be 10.10.10.254 if you want to use DNSCache. Note that you are only providing one DNS server to your dhcp clients, while in the network.conf settings above you have a primary and secondary entry. If the 208.57.0.10 machine is not working properly, your firewall (and any other systems with both DNS IP's) will automatically use the other system, while machines configured via dhcp will simply fail.Here's something else fun to work on while we're at it: I tried putting other machines behind the firewall today since the office was empty (office retreat, except for me!) and only the NT box, and the Exchange server (Running Windows 2000 server) can browse the web. Our windows 98se, windows me, and windows 95 computers can't. They log into the server fine, get an ip address fine, just no web. They can ping the firewall (both interfaces) and the ISP's router (also both interfaces) but when I ping something like www.yahoo.com it comes back with "unknown host". Any ideas on this one?This is almost surely a DNS problem. When your hosts got their DHCP assignments from the ISP's router, they rceived in them the IP addresses of the DNS servers they are supposed to use. Unless you added that information to the LEAF router's dhcpd config file, it is not providing the DNS settings. Fix this and the particular problem you are describing here will go away.
My DHCPD config file reads: dynamic-bootp-lease-length 604800; max-lease-time 1209600; subnet 10.10.10.0 netmask 255.255.255.0 { option routers 10.10.10.254; option domain-name "esimail.org"; option domain-name-servers 208.57.0.10; range 10.10.10.1 10.10.10.199; } Should I change or add something else?
It doesn't look like you're using DNSCache, at least you haven't configured DHCP hosts or the firewall to use it, so the setup probably doesn't matter.This is almost certianly a DNS problem as indicated by others. If you're running DNSCache on the firewall, make sure you have properly configured it to allow access from your changed internal network address space. If you're using your ISP's DNS server(s), make sure you properly updated the name-servers option in /etc/dhcpd.conf.
DNSCache is setup with the following: LRP box internal IP: 10.10.10.254 Querying hosts IP's: 192.168 127.0.0.1 10.10
I suspect, however, the difference between the working and non-working systems on your internal network relates to DNS. Run "ipconfig /all" on your internal systems, and compare the DNS settings. Once you figure out which settings work, and which are broken, we can begin to determine why, and fix the problem.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
