Sign in with
Sign up | Sign in
Your question

Addressing problem with NATted DMZ

Last response: in Networking
Share
Anonymous
August 29, 2005 1:59:28 PM

Archived from groups: uk.comp.os.linux,comp.security.firewalls (More info?)

Hi, I'm hoping someone else has seen this before...

I've got to machines, call them bar.foo.com and baz.foo.com. Both boxes
run Debian stable, and the MTA on both is Sendmail. One is a primary
mail server and the other is a secondary mail server for many of the
same domains. These machines have real world addresses, call then
22.22.22.22 and 22.22.22.23, but since we've instituted IPCop as our
firewall and used NAT, the machines don't really have these addresses
any more, they're now really 192.168.1.22 and 192.168.1.23. They're on
the same subnet and can talk to one another easily by address.

I've set them up in each others /etc/hosts files so that from bar I can
ping baz.foo.com and from baz I can ping bar.foo.com and that just
works. But when they try to transfer mail to each other the connection
times out, and when from the command line on bar I try

telnet baz.foo.com 25

it times out, although if I try

telnet 192.168.1.23

it works perfectly.

The IPCop is set up to allow traffic on port 25 both outbound and inbound
to the two boxes, and each of the boxes have the IPCop box set up as
their default gateway, so I don't understand why the SMTP traffic
doesn't just get routed out to the IPCop box and back in again, but it
doesn't: if I try

telnet 22.22.22.23 25

that doesn't get through either.

But the other thing I don't understand is why Sendmail (and telnet) are
preferring addresses they're getting from DNS to addresses they're
getting from the hosts file, while ping is preferring addresses from the
hosts file.

So, please, can anyone suggest either

(i) a means of configuring IPCop so that it will pass this traffic;

or

(ii) a means of configuring the boxes so that sendmail uses the DMZ
addresses to talk to each other rather than the real world ones;

or

(iii) a popular, reliable and reasonably well supported open source
firewall which can bind multiple addresses to a single NIC (so Linux
2.4 or 2.6 and iptables, rather than 2.2 and ipchains) and which does
not insist on NATting everything.

--
simon@jasmine.org.uk (Simon Brooke) http://www.jasmine.org.uk/~simon/
;; "If I were a Microsoft Public Relations person, I would probably
;; be sobbing on a desk right now" -- Rob Miller, editor, /.
August 29, 2005 1:59:29 PM

Archived from groups: uk.comp.os.linux,comp.security.firewalls (More info?)

> (ii) a means of configuring the boxes so that sendmail uses the DMZ
> addresses to talk to each other rather than the real world ones;

This is what I'd do. You can achieve this by setting up different views
in BIND. In this way, you can have one view of your world from the
outside, and a completely different view for machines within the NAT
area.

> (iii) a popular, reliable and reasonably well supported open source
> firewall which can bind multiple addresses to a single NIC (so Linux
> 2.4 or 2.6 and iptables, rather than 2.2 and ipchains) and which does
> not insist on NATting everything.

You don't need a firewall to bind multiple addresses to a NIC - you use
IP aliasing.

So, for example, if your eth0 is currently on 1.2.3.4, you could execute

ifconfig eth0:0 5.6.7.8

and that ethernet interface will now respond to both 1.2.3.4 and
5.6.7.8.

Natty, huh?

Vic.





--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG
Anonymous
August 29, 2005 4:30:41 PM

Archived from groups: uk.comp.os.linux,comp.security.firewalls (More info?)

in message <f3a316a45c11a2e0e9c0337ae584af70.60200@mygate.mailgate.org>,
Vic ('vic@innocent.com') wrote:

>> (ii) a means of configuring the boxes so that sendmail uses the DMZ
>> addresses to talk to each other rather than the real world ones;
>
> This is what I'd do. You can achieve this by setting up different views
> in BIND. In this way, you can have one view of your world from the
> outside, and a completely different view for machines within the NAT
> area.

OK, that sounds useful. Can you point me to some documentation on how to
do this? In particular does this work with bind 9?

>> (iii) a popular, reliable and reasonably well supported open source
>> firewall which can bind multiple addresses to a single NIC (so Linux
>> 2.4 or 2.6 and iptables, rather than 2.2 and ipchains) and which does
>> not insist on NATting everything.
>
> You don't need a firewall to bind multiple addresses to a NIC - you use
> IP aliasing.
>
> So, for example, if your eth0 is currently on 1.2.3.4, you could
> execute
>
> ifconfig eth0:0 5.6.7.8
>
> and that ethernet interface will now respond to both 1.2.3.4 and
> 5.6.7.8.

Yup, I know this, but only on 2.4 and above kernels. My old home-brewed
firewall was built on a 2.2 box and ipchains, and could not do this,
which is why it has had to be replaced.

--
simon@jasmine.org.uk (Simon Brooke) http://www.jasmine.org.uk/~simon/

For office use only. Please do not write or type below this line.
August 29, 2005 4:40:32 PM

Archived from groups: uk.comp.os.linux,comp.security.firewalls (More info?)

> > This is what I'd do. You can achieve this by setting up different views
> > in BIND. In this way, you can have one view of your world from the
> > outside, and a completely different view for machines within the NAT
> > area.
>
> OK, that sounds useful. Can you point me to some documentation on how to
> do this? In particular does this work with bind 9?

Works fine with bind 9.

http://sysadmin.oreilly.com/news/views_0501.html seems to give quite a
good overview. Lok especially at the definition of "internal" and
"external" (i.e. using the predefined "localnets" ).

HTH

Vic.


--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG
!