[Firehol-support] smtp and gre tunnels

Rick Marshall rjm at zenucom.com
Sat Apr 23 00:07:01 BST 2005 

now that i've put firehol in, instead of firestarter, i have a new 
problem. (although most things work better)

our servers have several tunnels to remote offices. we used to be able 
to run sendmail over the tunnels to act as the mail server for our users.

this is particularly important as there is more than one sendmail server 
on the network and they are used as a message switch between servers.

what we find is that small messages (one packet i think) get through, 
but longer messages don't. here's the strange bit: if we take the 
mailserver access outside the tunnels (gre) they work fine. it worked 
fine when firestarter setup the iptables rules. the stmp exchange works 
ok, it's just the data bit that doesn't.

our voip works ok, so does the video conference, and so does ssh. it's 
just sendmail....

any ideas?

thanks

rick

firehol.conf:
#
# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#

version 5

echo

# Set up GRE tunnels before anything else

# remove old tunnels (ignore errors)
ip link set warehse down
ip tunnel del warehse
ip link set china down
ip tunnel del china

# GRE Setup for warehouse and china
rmmod ip_gre
modprobe ip_gre

# start new tunnels
echo "START WAREHSE"
ip tunnel add warehse mode gre remote 211.27.87.94 local 203.134.124.118 
ttl 0
ip link set warehse up
ip addr add 192.168.1.10 dev warehse
ip route add 192.168.3.0/24 dev warehse

echo "START CHINA"
ip tunnel add china mode gre remote 211.148.145.81 local 203.134.124.118 
ttl 0
ip link set china up
ip addr add 192.168.1.11 dev china
ip route add 192.168.5.0/24 dev china

# Rest of firehol stuff

# The office address spaces
accounts="192.168.8.0/24"
china="192.168.5.0/24"
office="192.168.1.0/24"
servers="192.168.7.0/24"
telecoms="192.168.6.0/24"
warehse="192.168.3.0/24"

office_ips="${office} ${servers} ${accounts} ${telecoms}"

# Internet
public_ip="203.134.124.118"

# External services
cmail_servers="imap pop3 smtp"
cserver_servers="dns http ssh"
ext_servers="icmp pptp GRE ${cmail_servers} ${cserver_servers}"
int_servers="icmp ssh"

# Source forwarding
snat to "${public_ip}" outface eth0 src "${office_ips}" dst not 
"${UNROUTABLE_IPS} ${china} ${warehse}"

# Destination forwarding
dnat to 192.168.7.150:22 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 22
dnat to 192.168.7.150:22 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 22
dnat to 192.168.7.152:25 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 25
dnat to 192.168.7.152:25 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 25
dnat to 192.168.7.152:25 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 5025
dnat to 192.168.7.152:25 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 5025
dnat to 192.168.7.150:53 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 53
dnat to 192.168.7.150:53 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 53
dnat to 192.168.7.150:80 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 80
dnat to 192.168.7.150:80 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 80
dnat to 192.168.7.152:110 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 110
dnat to 192.168.7.152:110 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 110
dnat to 192.168.7.152:143 inface eth0 src not "${UNROUTABLE_IPS}" proto 
tcp dport 143
dnat to 192.168.7.152:143 inface eth0 src not "${UNROUTABLE_IPS}" proto 
udp dport 143

# Interfaces
interface eth0 internet src not "${UNROUTABLE_IPS}"
        #protection strong 10/sec 10
        policy reject
        server "${ext_servers}" accept
        client all accept

interface eth1 office src "${office} ${accounts}"
        policy accept
        server "${int_servers}" accept
        client all accept

interface eth2 telecoms src "${telecoms}"
        policy accept
        client all accept

interface eth3 servers src "${servers}"
        policy accept
        client all accept

interface china china src "${china}"
        policy accept
        client all accept

interface warehse warehse src "${warehse}"
        policy accept
        client all accept

# Routers
router china2office inface china outface eth1
        route all accept

router china2servers inface china outface eth3
        route all accept

router china2telecoms inface china outface eth2
        route all accept

router internet2servers inface eth0 outface eth3 src not 
"${UNROUTABLE_IPS}" dst "${servers}"
        server "${cserver_servers}" accept dst 192.168.7.150
        server "${cmail_servers}" accept dst 192.168.7.152
        client all accept
        route ident reject with tcp-reset

router office2china inface eth1 outface china
        route all accept

router office2internet inface eth1 outface eth0
        route all accept

router office2telecoms inface eth1 outface eth2
        route all accept

router office2warehse inface eth1 outface warehse
        route all accept
router servers2china inface eth3 outface china
        route all accept

router servers2internet inface eth3 outface eth0
        route all accept

router servers2warehse inface eth3 outface warehse
        route all accept

router telecoms2china inface eth2 outface china
        route all accept

router telecoms2warehse inface eth2 outface warehse
        route all accept

router warehse2office inface warehse outface eth1
        route all accept

router warehse2servers inface warehse outface eth3
        route all accept

router warehse2telecoms inface warehse outface eth2
        route all accept

# Accounts department

ip route del 192.168.8.0/24
ip route add 192.168.8.0/24 via 192.168.1.154 dev eth1

iptables -A INPUT -p 47 -s 0/0 -j ACCEPT



-------------- next part --------------
A non-text attachment was scrubbed...
Name: rjm.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20050423/cef2c26a/attachment-0002.vcf>

More information about the Firehol-support mailing list