Security World: Re: Forward the smtp packages to another IP on another debian box.

Hi Patrik

I'm not sure why you have 2 gateways at your local site, why cant you
have one router that handles both connections?

$IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to
$DEBBY_LAN:$SMTPPORT

basically how nat works is
a > nat > b
when a talks to b through nat, the nat box changes the source address
from a to itself, then b responds to the nat box, the nat box remembers
this connection and forwards it on to a

i'm not sure what you are trying to do with that config but i think you
want it so when a packet comes in it changes the source address to the
2nd gateway which then would send it out on the 2nd gateway

this will not work. to achieve what you want you will need your main
router (the one that is the workstations default gateway) to have
multiple routing tables and use routing rules to send smtp traffic out
the 2nd connection

Patrik Hasibuan wrote:
> Dear my friends,
>
> I am now building 2 internet gateways.
>
> I distribute the jobload based on the port number. For the first step, I do so:
> - pop3 will do outgoing and ingoing through gateway1 whose IP 192.168.23.9 (int net interface) and 202.155.0.179 (ext net interface);
> - smtp will do outgoing and ingoing through gateway2 whose IP 192.168.23.2 (int net interface) and 202.155.0.180 (ext net interface).
>
> The default gateway what defined on the workstations is "192.168.23.9".
>
> The POP3 and SMTP servers are provided by my webhosting (yahoo.com). They are: ' pop.bizmail.yahoo.com ' and ' smtp.bizmail.yahoo.com '.
>
> But it does not work as I expect. I have tested on '192.168.23.2" by sending an email from that debby-box and it succeed it.
>
> Where are my mistakes?
>
> Thank you very much in advance.
>
> This is my script.
>
> #!/bin/bash
> ###############################################################
> # Adding default gateway
> #/sbin/route add default gateway 202.155.0.177
>
> ###############################################################
> # Initialize some parameter
> INET_INTERFACE="eth0"
> LAN_INTERFACE="eth1"
> LOOPBACK_INTERFACE="lo"
>
> IPT="/usr/sbin/iptables"
> INET_ADDR="202.155.0.179"
> DEBBY_LAN="192.168.23.2"
> LAN_ADDR="192.168.23.9"
> LAN_ADDRESSES="192.168.23.0/24" # LAN Addresses range
> LAN_DNS="192.168.23.9" # Please specify your DNS server in LAN
>
> POP3PORT="110"
> SMTPPORT="25"
> DNSPORT="53"
> UNPRIVPORTS="1024:65535" # unprivileged port range
>
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
>
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
>
> for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
> echo 0 > $f
> done
>
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $f
> done
>
> $IPT --flush
> $IPT -t nat --flush
> $IPT -t mangle --flush
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> $IPT --policy INPUT ACCEPT
> $IPT --policy OUTPUT ACCEPT
> $IPT --policy FORWARD ACCEPT
> $IPT -t nat --policy PREROUTING ACCEPT
> $IPT -t nat --policy OUTPUT ACCEPT
> $IPT -t nat --policy POSTROUTING ACCEPT
> $IPT -t mangle --policy PREROUTING ACCEPT
> $IPT -t mangle --policy OUTPUT ACCEPT
> if [ "$1" = "stop" ]; then
> echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
> exit
> fi
>
> $IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> $IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
>
> $IPT --policy INPUT DROP
> $IPT --policy OUTPUT DROP
> $IPT --policy FORWARD DROP
>
> $IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to $DEBBY_LAN:$SMTPPORT
>
> $IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -j SNAT --to-source $INET_ADDR
> $IPT -t nat -A POSTROUTING -p udp -o $INET_INTERFACE -j SNAT --to-source $INET_ADDR
>
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> $IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
> $IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
>
> $IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT
>
> $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT
>
> $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT
>
> $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT
>
> $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT
>
> $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -p udp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $POP3PORT -m state --state NEW -j ACCEPT
>
> $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -p udp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $DNSPORT -m state --state NEW -j ACCEPT
> $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $POP3PORT -m state --state NEW -j ACCEPT
>
>
> Selalu bisa chat di profil jaringan, blog, atau situs web pribadi! Yahoo! memungkinkan Anda selalu bisa chat melalui Pingbox. Coba! http://id.messenger.yahoo.com/pingbox/
>
>

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

2 comments:

Anonymous5:36 PM
When I initially commented I clicked the "Notify me when new comments are added" checkbox and now each
time a comment is added I get several emails with the same comment.
Is there any way you can remove me from that service? Appreciate it!
Also visit my web page hair care
Anonymous12:03 AM
Its like you read my mind! You seem to know a lot about this, like
you wrote the book in it or something. I think that you
could do with some pics to drive the message home a little bit,
but instead of that, this is great blog.
An excellent read. I'll certainly be back.

Feel free to visit my web site - www.asianpussysex.com

Sunday, February 15, 2009

Re: Forward the smtp packages to another IP on another debian box.

2 comments: