Mail through Firewall/Proxy Problems

chrisfirestar · 11-09-2003, 09:31 PM

I have a problem with what appears to be the mailserver unable to resolve the DNS through the Firewall/Proxy I built.

In a nut shell.. I have built up a firewall/proxy box to protect the network and everything SEEMS to be working fine... I can browse the net etc from client machines...

First things first ill outline the network structure...

000Internet ------------------ External Switch
00000000000000000___________|___________
0000000000000000|0000000000000000000000|
0000000000000000|0000000000000000000000|
0000000Microsoft Echange Server0000000Proxy/Firewall
000000000000ext ip: *.*.*.11000000000ext ip: *.*.*.10
00000000000int ip: 192.168.1.25100000int ip: 192.168.1.1
0000000000000000|0000000000000000000000|
0000000000000000|0000000000000000000000|
0000000000000000|0000000000000000000000|
0000000000000000|______________________|
000000000000000000000000000LAN
00000000000000000___________|___________
000000000000000|000000000000|00000000000|
0000000000000MYDC000000000PCs00000000Printer
00000000domain controller

(dont mind the 0's just to make the layout work better hahah)

So both the mail server AND the firewall (which is the default gateway for the local machine) has ext IP.

The mail server can do the following things
send and recieve local emails
recieve external emails

BUT CANNOT send external emails...

For the firewall im using an IPTABLES firewall and the proxy is Squid
I have opened every port on the firewall and proxy to make sure it was not a port problem.. any ideas??

Chris

chort · 11-10-2003, 12:25 AM

OMG man! Please, PLEASE don't tell me your Exchange box has an interface on both the dirty and clean nets!?!?!? That machine will forward packets leaving your network wide open! The Exchange server needs to go BEHIND the firewall. OK, calming down...

Is the default route on your Exchange box pointed to the internal net by any chance? It sounds like it's DNS queries are getting lost. This problem would be fixed if you put the Exchange box on the Internal net behind the firewall and disabled on of the interfaces. You just need to forward 25/TCP through your firewall to the Exchange box internal IP, that's all. As long as you have nat-conntrack loaded any outbound traffic from Exchange should be allowed and stateful. Point the default route to the internal interface of the firewall. Problem solved.

chrisfirestar · 11-10-2003, 12:28 AM

yeah this was the solution I told the Technical Manager but he doesnt seem to keen!

hahah
makes it hard.. this is my second week here and its hard to tell the boss he's been doing it all wrong :P

chort · 11-10-2003, 12:31 AM

That's not only wrong, that's disasterously wrong. You never have a non-secure box span networks. In fact, even secured boxes shouldn't span networks unless they're explicitly designated firewall or router and treated as such.

chrisfirestar · 11-10-2003, 12:41 AM

they didnt even have a firewall before i got here! and its a software dev company... i sat there with my jaw dropped when they told me... i told them that ANYONE could have gotten coding etc off of their computers!

WOAH! hehe so they are better off now at least.. I will suggest the change... what is the command to forward all email the the local address... local address being 192.168.1.251 will it look like this?

IPTABLES="/sbin/iptables"
OUTSIDE=eth0
INSIDE=eth1

$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 110 -j DNAT --to 192.168.1.251:110
$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp -m tcp --dport 25 -j DNAT --to 192.168.1.251:25

$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp -m tcp --dport 25 -j ACCEPT

chort · 11-10-2003, 12:48 AM

Er.. that looks about right. I'm not an iptables person so you'll want to have someone else confirm it, or you could test it yourself right now. Just use the port 25 rule as a test and forward from the external interface of the firewall to the internal interface of the Exchange box. Then from off-site (you do have an off-site shell for testing, right?) telnet external.ip.of.firewall 25 and see if you get the MS SMTP banner. I think you might need a rule on the chains for the internal interface to allow the traffic out on the inside, unless you have a default allow-out rule already for the internal interface (out in this case meaning from the firewall out onto your internal net).

Oh, I forgot one last but very important thing! When you take down the external interface of the Exchange box, you will need to ifconfig virtual interface on the external card of the firewall to assume the old external IP of Exchange (because your Mail eXchanger record in DNS is pointing to that IP). If you don't do that, outside mail coming in will try to go to the old IP and fail (because it's not assigned to any host). You could change your DNS, but that could take days to fully go into effect. The best course of action would be to add an alias to the firewall. Oh, and make sure you create script for it in /etc/sysconfig/network-scripts or where ever your distro keeps such things. If you don't and the firewall gets rebooted, people could be quite confused trying to figure out why they aren't getting mail any more.

Doh, forgot one more thing (just a tip). When you have to post ASCII diagrams, use code /code (with square brackets around each code tag) so that it preserves formatting. That should prevent the necessity of padding characters.