Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a problem with what appears to be the mailserver unable to resolve the DNS through the Firewall/Proxy I built.
In a nut shell.. I have built up a firewall/proxy box to protect the network and everything SEEMS to be working fine... I can browse the net etc from client machines...
First things first ill outline the network structure...
(dont mind the 0's just to make the layout work better hahah)
So both the mail server AND the firewall (which is the default gateway for the local machine) has ext IP.
The mail server can do the following things
send and recieve local emails
recieve external emails
BUT CANNOT send external emails...
For the firewall im using an IPTABLES firewall and the proxy is Squid
I have opened every port on the firewall and proxy to make sure it was not a port problem.. any ideas??
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
OMG man! Please, PLEASE don't tell me your Exchange box has an interface on both the dirty and clean nets!?!?!? That machine will forward packets leaving your network wide open! The Exchange server needs to go BEHIND the firewall. OK, calming down...
Is the default route on your Exchange box pointed to the internal net by any chance? It sounds like it's DNS queries are getting lost. This problem would be fixed if you put the Exchange box on the Internal net behind the firewall and disabled on of the interfaces. You just need to forward 25/TCP through your firewall to the Exchange box internal IP, that's all. As long as you have nat-conntrack loaded any outbound traffic from Exchange should be allowed and stateful. Point the default route to the internal interface of the firewall. Problem solved.
yeah this was the solution I told the Technical Manager but he doesnt seem to keen! hahah
makes it hard.. this is my second week here and its hard to tell the boss he's been doing it all wrong :P
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
That's not only wrong, that's disasterously wrong. You never have a non-secure box span networks. In fact, even secured boxes shouldn't span networks unless they're explicitly designated firewall or router and treated as such.
they didnt even have a firewall before i got here! and its a software dev company... i sat there with my jaw dropped when they told me... i told them that ANYONE could have gotten coding etc off of their computers!
WOAH! hehe so they are better off now at least.. I will suggest the change... what is the command to forward all email the the local address... local address being 192.168.1.251 will it look like this?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Er.. that looks about right. I'm not an iptables person so you'll want to have someone else confirm it, or you could test it yourself right now. Just use the port 25 rule as a test and forward from the external interface of the firewall to the internal interface of the Exchange box. Then from off-site (you do have an off-site shell for testing, right?) telnet external.ip.of.firewall 25 and see if you get the MS SMTP banner. I think you might need a rule on the chains for the internal interface to allow the traffic out on the inside, unless you have a default allow-out rule already for the internal interface (out in this case meaning from the firewall out onto your internal net).
Oh, I forgot one last but very important thing! When you take down the external interface of the Exchange box, you will need to ifconfig virtual interface on the external card of the firewall to assume the old external IP of Exchange (because your Mail eXchanger record in DNS is pointing to that IP). If you don't do that, outside mail coming in will try to go to the old IP and fail (because it's not assigned to any host). You could change your DNS, but that could take days to fully go into effect. The best course of action would be to add an alias to the firewall. Oh, and make sure you create script for it in /etc/sysconfig/network-scripts or where ever your distro keeps such things. If you don't and the firewall gets rebooted, people could be quite confused trying to figure out why they aren't getting mail any more.
Doh, forgot one more thing (just a tip). When you have to post ASCII diagrams, use code /code (with square brackets around each code tag) so that it preserves formatting. That should prevent the necessity of padding characters.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.