[Firehol-support] Firehol port forward to internal system
Tsaousis, Costa
costa at tsaousis.gr
Mon Jan 26 18:52:44 GMT 2015
You need to dnat traffic towards your internet public IP, to your mail server.
Add this at the top of your config:
dnat to 192.168.252.26 inface eth0 dst 104.236.X.X proto tcp dport 25
With this statement all traffic to your public ip 104.236.X.X port
tcp/25, will be sent to 192.168.252.26.
The server smtp accept statement at the first interface is not needed.
Apparently you do not run an smtp server there, hence the connection
refused message.
Costa
On Mon, Jan 26, 2015 at 5:20 PM, Joe Matuscak <matuscak at rohrer.com> wrote:
> I'm trying to forward SMTP traffic from the Internet facing interface of the
> host I'm running Firehol on to a mail server on the other side of a OpenVPN
> tunnel, like this:
>
> Internet-->Firehol/OpenVPN host-->OpenVPN Tunnel-->Routing host-->Mail server
>
> The hosts are running CentOS 6.6.
> The routing host is at 192.168.252.25.
> The mail server is at 192.168.252.26.
>
> I can send outbound traffic from the mail server to the Internet over the OpenVPN
> tunnel without a problem.
>
> I can connect to the SMTP port on the mail server from the Firehol host, but
> I can't get the access from the Internet working.
>
> Here's my firehol.conf file:
>
> # External interface
> interface4 eth0 external src not "${UNROUTABLE_IPS}" dst 104.236.X.X
> policy reject
> protection strong
>
> server smtp accept
>
> server ICMP accept
> server openvpn accept
> server ssh accept
> client all accept
>
> # VPN tunnel to DMZ network which is trusted
> interface4 tun0 vpntun
> policy accept
> client all accept
>
> # Route from LAN tunnel to external
> router4 Tun2Internet inface tun0 outface eth0 dst not "${UNROUTABLE_IPS}"
> masquerade
> route all accept
>
> # Route from Internet to mail server
> router4 Internet2Tun inface eth0 outface tun0
> server smtp accept dst 192.168.252.26
>
> When I try to connect to the Firehol host external IP port 25, I get
> a connection refused.
>
> What am I missing?
>
> TIA.
>
> --
> Thanks,
>
> Joe Matuscak | Director of Technology
> Rohrer Corporation | Office: 330-335-1541
> 717 Seville Road | Wadsworth, Ohio 44281
> www.rohrer.com | A Better Package
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list