Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok, so I've tried everything I can think of to make this work - no luck
All I want to do is pass port 25 traffic coming from the internet through our firewall (private address) over to the DMZ (private address) where a postfix box resides, then forward off to another DMZ (private address) or back to the firewall where it will get routed to an internal server...
So therefore, the flow would be
Internet ---> firewall ----> My DMZ postfix 1 -----> firewall (postfix)
|
| (or based on destination)
|
------> Other DMZ postfix 2
firewall = int 172.23.1.76
ext 216.200.200.200
dmz 10.10.100.2
My DMZ = eth0 10.10.100.200
eth1 10.10.10.200
eth2 172.23.1.199
Other DMZ = eth0 10.10.100.150
eth1 10.10.10.20
I know it sound like a riggamarole, but I have my reasons....
Someone must have done this - I'll even settle for traffic passing from f/w to my DMZ as a starting point ????
Send me a working config if you have one - thx in advance...
Send me a working config if you have one
Add log target rules for any "decision", check the logs and adjust your rules accordingly. Then post the output and the script you're using.
I followed one document that gave me a little insight into what I needed to try and that worked - sort of.
The new problem of the day is now:
When a connection comes in from the internet on port 25, it is reverse-masq forwarded to the DMZ, however it only allows one connection at a time. The other connections that come through go into a SYN_SENT state and then eventually a TIME_WAIT state and then either time out or as each connection is cleared the next one connects. For SMTP traffic this means that typically the connection is dropped and then retried later. For example, I sent two simultaneous emails from outside to myself from different sources - one went through (slowly I might add), the other one took almost 15 minutes to retry but finally made it through.
While one connection is made the others sit and wait or are dropped (connection failure - not dropped by the firewall)
Any ideas ? We process about 1000 emails a day....
Things would apparently connect or at least pass thru, but it would never connect properly (SYN_RCVD) or (TIME_WAIT)...I read another article with similarities that stated routing was his problem and bingo !
What I will do, once I have a good solid running config, is post it here with my list of "Gotcha's" for all the other poor souls living on twinkies and coffee to make this work...
To add more complexities into the mix, now I'm working on Squid in conjunction to all this !!!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.