Lex Jonkers wrote: > Hi, > > I'm trying to get transparent smtp to an internal smtp server (not running > on the firewall) working with 4.0 (debian lenny). But can't get it to work > the way i want. I had it working with my old iptables script with the > following rules: > #iptables -A FORWARD -p tcp -d 192.168.x.21 --dport 25 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > #iptables -t nat -A PREROUTING -i ! eth1 -p tcp -s ! 192.168.x.21 -d 0/0 > --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to > 192.168.x.21:25
I find it hard to believe you when you say that those rules worked. Here's why... Let's say that 192.168.x.44 attempts to connect to TCP port 25 on 206.124.146.177. Your rules would rewrite the destination IP address to 192.168.x.21 and forward the connection back out of eth1. Server 192.168.x.21 would receive the SYN packet and respond with a SYN,ACK to 192.168.x.44. When 192.168.x.44 received that response it would simply discard the packet because the source IP address in the response is 192.168.x.21, not 206.124.146.177. > > > I tried the squid trick using providers/tcrules but when trying to connect > from a client i get: No route to host Did you also configure a REDIRECT rule on 192.168.x.44? > > providers: > smtptest 1 202 - eth0 > 192.168.x.21 loose > > tcrules: > 202:P eth0:!192.168.x.21 0.0.0.0/0 tcp 25 > > interfaces: > loc eth0 detect routeback > > client connection: > telnet x.x.x.x 25 > Trying x.x.x.x... > telnet: Unable to connect to remote host: No route to host I notice that you are using eth0 in that configuration whereas your original rules were redirecting back out of eth1. Did your IP configuration change? > > > Also i tried the FAQ 2 trick. That does work however the smtp server logs > the connections as coming from the firewall. For logging purposes i want > the real client ip logged. That is a documented side effect of that silly hack. > > masq: > eth0:192.168.x.21 eth0 192.168.x.1 > tcp smtp > > rules: > DNAT loc:!192.168.x.21 loc:192.168.x.21:25 tcp > smtp > > > I then tried with only the rule in the rules file > > This does seem to get the connection to the right server as seen by ippl. > But no real connection is established. > Telnet keeps trying and ippl keeps logging connection attempts. That rules file entry generates essentially the same two iptables rules that you claim worked! And they don't work for exactly the reason that I described above. > > I tried playing around with SAME: and nodst: in the address column in the > masq file, but can't seem to get the syntax right. I noticed newer > shorewall versions support the use of NONAT in that column. I guess that's > what i need. > Do i have to upgrade to a newer version of shorewall or am i doing it all > wrong ? I know of no way to do what you want except to use the squid trick, including the REDIRECT rule on the SMTP server. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
