LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-14-2004, 07:09 AM   #1
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Rep: Reputation: 0
Unhappy Mails don't arrive from Internet...


Hi all !

My setup is a firewall with a DMZ zone, using ip-aliasing in the ethernet facing Internet and
NATing.
All this works fine, but the only problem is...
No one mail is retrieved from Internet. Logging of the mail clients are done correctly in
the server (in /var/log/secure, etc.).
Sending & receiving a mail from LAN is Ok, so SMTP and POP3S (ports 25 and 995)
are working.
I suspect that MX record from the DNS is not quite well.
I have:
1D IN MX 10 zeus.mydomain.com.

(zeus is the pretty same host and it's addressed below with)

zeus IN A xxx.xx.xx.xxx

What king of test can I do ?
I'm very confused.

Thanks a lot...
 
Old 12-14-2004, 07:50 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Use a telnet client and test the server to make sure it talks back..
eg telnet x.x.x.x 25 for smtp
(Use the external ip number)

Then on a hotmail/yahoo site, send mail to yourself and watch the smtp logfiles for connection info.
 
Old 12-14-2004, 01:41 PM   #3
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Original Poster
Rep: Reputation: 0
Well, these testings seems to be ok (respond in all cases), but

(always a BUT...) I sent a mail from hotmail to my account and

it didn't arrive.

I can send / receive mail from the LAN inside, but from outside...

What can it be happening ?

NOTE: In the MX record of my DNS is set the DMZ's address

(it is 192.168.1.2) and try also setting the `real' ip of my domain

200.xx.xx.xxx . It doen't work at all...
 
Old 12-14-2004, 03:07 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Quote:
NOTE: In the MX record of my DNS is set the DMZ's address

(it is 192.168.1.2)
I hope that this ip address wasn't the first attempt in the dns record..

If your dns record has a standard 3Day TTL (expiry) you could be waiting a while for a fresh record to be sent around..

It should be only the external ip number here, for internet servers to find you..
 
Old 12-14-2004, 03:08 PM   #5
metalick
Member
 
Registered: Apr 2004
Location: Zagreb, Croatia
Distribution: SuSE 9.0
Posts: 44

Rep: Reputation: 15
is your mail server in the DMZ zone? maybe the routing works well for the route LAN-GW-MAILSERVER, but not from the route from INET-DMZ(MAILSERVER) is not ok. Did you receive any bounce mails to your hotmail like undeliverable etc?
 
Old 12-14-2004, 09:47 PM   #6
bdogg
Member
 
Registered: Sep 2004
Location: Salt Lake City, UT
Distribution: Debian Sarge
Posts: 93

Rep: Reputation: 15
your isp could be blocking port 25 as well. What service do you have?? If you can ssh into a machine outside of your ISP, then you can try that telnet command again and try and get into port 25.

make sure you get that MX record setup to have your external IP as well (not your internal one)
 
Old 12-15-2004, 07:13 AM   #7
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Original Poster
Rep: Reputation: 0
- DNS record has a 1Day TTL, but changing the serial number I try to push i'll
be refreshed. Is it right ?

- I also believe the problem was in the INET-DMZ(MAILSERVER) path. But

No bounced mails are received (just nothing happens).

- In the firewall rules (iptables) I rightly repeat the HTTP items (port 80) using SMTP

(port 25) assuming it's needed the same kind of working.

NOTE: Sniffing around with tcpdump I get a lot of 192.168.1.2.smtp trying to get the SMTP

server, but It seems do not respond...

After all, something wrong... (of couse YES, but WHERE !!!)

Thanks for your help, a lot...
 
Old 12-15-2004, 07:36 AM   #8
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
what rules do you have for MASQUERADE/SNAT ?
which interface is the DMZ using?
 
Old 12-15-2004, 07:48 AM   #9
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Original Poster
Rep: Reputation: 0
Basically I'm using a script of http://iptables-tutorial.frozentux.n...Z.firewall.txt

but adding SMTP rules in the same way that HTTP, assuming the in this template the provided services are HTTP and DNS.

Thanks.
 
Old 12-15-2004, 07:59 AM   #10
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Have you added the PREROUTING rule for port 25?

Have you telnettted in from outside your network?
 
Old 12-15-2004, 08:17 AM   #11
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Original Poster
Rep: Reputation: 0
Yes, this is my script.

--------------------------------------------cut here-----------------------------------------
#!/bin/sh
#
# rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="194.236.50.152"
HTTP_IP="194.236.50.153"
SMTP_IP="194.236.50.153"
DNS_IP="194.236.50.154"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

LAN_IP="192.168.0.1"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.1.2"
DMZ_SMTP_IP="192.168.1.2"
DMZ_DNS_IP="192.168.1.3"
DMZ_IP="192.168.1.1"
DMZ_IFACE="eth2"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Packets from the Internet to this box
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# Packets from LAN, DMZ or LOCALHOST
#

#
# From DMZ Interface to DMZ firewall IP
#

$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#

#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets


#
# DMZ section
#
# General rules
#

$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

#
# HTTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets

#
# SMTP server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_IP \
--dport 25 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_IP \
-j icmp_packets

#
# DNS server
#

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets

#
# LAN section
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SMTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_SMTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

--------------------------------------------cut here------------------------------------------
 
Old 12-15-2004, 08:33 AM   #12
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Original Poster
Rep: Reputation: 0
Correcting a mistake.

In the PRE-ROUTING rules, where it was written port 80 really it's

port 25 (in my original script). Sorry.
 
Old 12-15-2004, 08:40 AM   #13
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
So now you need to finish testing from outside the network..

See if the server responds ok, watch the log files for connect errors etc
Watch both the smtp server logfile and iptables logfile in the firewall while you connect..
This means adding some -j LOG entries to monitor port 25 in and out..
That script is logging at DEBUG level, so I'm not sure which file it will log to..
 
Old 12-15-2004, 01:50 PM   #14
csavoretti
LQ Newbie
 
Registered: Dec 2004
Location: Argentina
Posts: 11

Original Poster
Rep: Reputation: 0
Ok. Digging in the maillog I found some sentences like:

mails looped back to me (MX? problem)
...

I'm confused but I think the problem could be something related with

the relaying and MX record of the DNS.

Googling I found issues related to /etc/mail/access (I put my LAN there)
I set the resolver of the LAN to 192.168.1.2.
I tried to set MX record to the real (192.168.1.2) and extenal (200.14.76.121)
ip's, but it also doesn't work.

Schematically:

TRUSTED LAN DMZ (HTTP, DNS, SMTP, POP3s)
eth1: 192.168.5.1 eth2: 192.168.1.1
| |
FIREWALL
|
eth0: 200.14.76.120, 200.14.76.121 (alias)

I N T E R N E T



Regards
 
Old 12-15-2004, 04:10 PM   #15
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Now I'm getting a bit suspicious...
Normally looping like that is because the server can't decide what it's own name is..
Can the server itself communicate ok with the internet, by ip and by url?
eg can you wget files by ip number and by url?

What fqdn hostname are you using on the mail server?
Is this hostname entered with the external ip address in the server's /etc/hosts file?
Is this hostname also in the 127.0.0.1 line?
what does dig hostname give on the server, on the firewall and on a workstation?
Is this a sendmail server with local only still in the sendmail.cf file?

Basic questions so far, but it looks like something very basic is missing/incorrect..

Usually, it's necessary to test the ip packet forwarding outward and inward before using url names, to prove the network connects ok.. then check with url names, then with the smtp server running..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail client internet suiter delete my mails marius7sv Linux - Software 0 09-07-2004 11:39 AM
Sometimes can't get mails gubak Linux - Networking 3 08-27-2004 11:52 AM
Can't send mails out to the internet gubak Linux - Networking 15 08-24-2004 06:54 AM
Mail Takes Hours To Arrive cryzpene Linux - Software 0 06-01-2004 06:59 PM
Kmail. I can recieve fine, but sent stuff does not arrive duffboygrim Linux - Software 5 01-10-2004 09:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:47 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration