[Shorewall-users] eth1 to eth1

ian iguy@ionsphere.org
Thu, 4 Apr 2002 14:25:06 -0700


On Thu, Apr 04, 2002 at 05:59:33AM -0800, Tom Eastep wrote:
> Ian,
> 
> On Wed, 3 Apr 2002, ian wrote:
> 
> > I've run into a problem with 1.2.10 and would like to request a more
> > experienced person's advice.  
> > 
> > My setup.. 
> > 
> > I'm Static NAT my boxes behind the firewall.  
> > 
> > 12.98.39.218 -> 10.10.10.10
> > 12.98.39.219 -> 10.10.10.20
> > 
> > I've got two domain names that are setup here.  
> > Domain1.com - ip 218
> > Domain2.com - ip 219
> > 
> > When I try to send mail from Domain1.com to Domain2.com the firewall
> > stops me with a loc2loc:REJECT log message.
> >
> 
> So you've specified 'Yes' in the "ALL" column in /etc/shorewall/nat -- 
> good.

Correct.


> > So I go into the policy file and set loc loc ACCEPT
> > 
> > That doesn't work so I try making a rule
> > 
> > ACCEPT loc loc tcp smtp
> > 
> > That doesn't work either..
> 
> It is a cardinal rule in Shorewall (and stated in the documentation) that 
> if you have an ACCEPT policy and something doesn't work then adding more 
> ACCEPT rules will NEVER make it work.

Figured but had to try anyways.  

> > I find a work around by making a common entry like so:
> > run_iptables -A FORWARD -i eth1 -o eth1 -p tcp --dport 25 -j ACCEPT
> > 
> > Now for obvious reason this isn't ideal.  I'd like to work with 
> > shorewall system for easier usage and maintance as I like the setup
> > and how its done right now.
> > 
> > What I see is the problem/bug/feature is that loc2loc is not used 
> > in either the INPUT, OUTPUT or FORWARD chains.  It should be in 
> > the FORWARD chain though.  Am I correct or did I miss some configuration
> > somewhere?
> >
> 
> It will be if you specify the 'multi' option for eth1 in 
> /etc/shorewall/interfaces.
>  
> And now an editorial note:
> 
> Your setup hints strongly of the problems discussed in FAQs 2 and 2a and
> would be MUCH cleaner if you would use Proxy ARP rather than static NAT.
> In my view, any setup that requires a router to route packets out to the
> same interface that they came in on is just plain broken.  I use static 
> NAT in my own network but I have also implemented views in my DNS 
> configuration so that my domain names resolve to local addresses for local 
> clients and network addresses for network clients. If you would do that 
> then your two local systems could communicate directly without having to 
> involve your firewall. Alternatively, given that there are only two 
> systems to deal with, entries in /etc/hosts would also be a fine solution.

But if your configuration is two independent mail server systems 
ie. domain1.com & domain2.com, and you want to run them both behind one
firewall they are not allowed to send mail back and forth then.

I'm confused.  How will Proxy ARP help versus static NAT?

I will look into doing a DNS like that.  For the time being we are using
the ISPs DNS (quick way to get up and going)  versus the time consuming 
piece of bringing up a dual view DNS.  I read those FAQs (2 & 2a) but 
didn't register with me that this was my environment.  

Many Thanks
ian


> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net