I'm having trouble getting port forwarding working on my one box.
I have 2 incoming internet connections. I have 2 servers on these connections.
pubinternet privinternet eth0:x.x.x.x eth0:y.y.y.y eth1:10.10.10.1 eth1:10.10.10.4
I need to be able to port forward traffic from y.y.y.y to the box on 10.10.10.1. I have my firewall configured (I use gshield) but 10.10.10.1 does not seem to answer when I try and test.
I use gshield all the time for other servers with only 1 connection, and it works awesome. I can't seem to get it to forward traffic from y.y.y.y to 10.10.10.1.
10.10.10.1 and 10.10.10.4 are connected together with a switch, and I am able to telnet to 10.10.10.1 from 10.10.10.4 on port 25.
Is there some step with networking that I am missing in getting this to work?
Thanks.
Thom Paine wrote:
I'm having trouble getting port forwarding working on my one box.
I think port forwarding is working fine, it's the routing of the traffic back to the source that is not because linux doesn't handle multiple default gateways very well out of the box. Look into multi homed routing using iproute2(I think that's the command), or NAT the traffic going to the inside so routing works. One easy way to do this is to use a program like rinetd or redir to port forward the traffic.
Of course the downside to this is all traffic that is forwarded will appear to your internal host to be originating from your gateway/firewall.
If it was my setup I wouldn't do either instead I would fire up a VM that had the other gateway as it's default gateway, keep it simpler.
nate
Hi,
On Fri, Jan 16, 2009 at 11:19, Thom Paine painethom@gmail.com wrote:
Is there some step with networking that I am missing in getting this to work?
Yes, the packet must return to the original source in the Internet with the y.y.y.y source IP.
Your machine with IP x.x.x.x probably has a default gateway in eth0, so it will probably try to return the packets through that interface.
I see three alternatives here to make this work:
1) Route any TCP packets with source IP 10.10.10.1 and source port 25 using 10.10.10.4 as the gateway. This can be done with help of the utilities in the iproute2 package, with the "ip" command (see "man ip"). This is quite complex but I'm almost sure it can be done. Read http://lartc.org/howto/. I think you can also use iptables to mark the packages with that specification and then use the "ip" command to route them through that gateway.
2) Configure the NAT of the machine with IP y.y.y.y to rewrite the packets to y.y.y.y:25 not only with new destination 10.10.10.1:25 but with source 10.10.10.4. That way the connection will return to the machine with IP y.y.y.y that will be able to NAT it back to the original y.y.y.y:25 address on the source and the original address on the internet as the destination. The problem here is that the box with IP x.x.x.x does not know from where the original connection came, it looks like all the connections are coming from 10.10.10.4.
3) Configure the machine with IP y.y.y.y to send the packets unchanged to machine with IP 10.10.10.1, that is, with y.y.y.y still as the destination address (in other words, no NAT is being done here, the machine is only using 10.10.10.1 to resolve a MAC address and forward the packet to that machine). Machine with IP x.x.x.x *must* have y.y.y.y/32 as an alias in one of the interfaces, otherwise it will reject the packet. Usually the loopback interface is the one used for that (add the y.y.y.y IP to lo:0). This way, the machine with IP x.x.x.x will return the packets through the original source in the Internet through its eth0 interface, the one with x.x.x.x IP, but as the packets have never been rewritten and the machine considers y.y.y.y an IP of its own, it is going to send the packet back with source y.y.y.y:25, which is what is needed for the original host to recognize the connection. This will make the traffic asymetric, entering your network through the y.y.y.y Internet line, but leaving through the x.x.x.x Internet line. Not 100% sure on how to implement the tricky routing without NATing on Linux, almost sure it's possible though. It will probably involve iptables to mark the connection and then using the tools in iproute2 to route them without rewriting. There is a slight issue here that from host with IP x.x.x.x you will not be able to start connections to y.y.y.y and have them routed (through the Internet) to your other host, but you will still reach it through 10.10.10.4 which is probably what you will want.
(I use gshield)
Then you should probably ask in a gshield mailing list how to do it with that specific tool. All of the above assumes iptables and iproute2 only, so it might not be directly applicable on the gshield configuration you already have.
On Fri, Jan 16, 2009 at 17:57, nate centos@linuxpowered.net wrote:
If it was my setup I wouldn't do either instead I would fire up a VM that had the other gateway as it's default gateway, keep it simpler.
Just my opinion, but I wouldn't say that firing up a VM would make anything "simpler"... Now instead of one problem you got two... :-)
Not to say that it wouldn't be possible, and if you're well versed in VM technology and already have the infrastructure it may be a good way to solve such a problem. However, if you don't, then you will have to worry about VM-specific issues, VM-specific networking (which can get quite tricky, especially in a host with more than one interface), VM-related performance issues... Not to mention that you have to administrate, maintain and update two hosts instead of one.
In the case of the OP, I would urge him to evaluate if that network topology really makes sense. Does it make sense having two hosts with two different connections? In that case, does it make sense to run services like mail/web servers on these hosts? Shouldn't they be dedicated routers/firewalls instead? And do you really need to use port forwarding connections to a host that is already directly connected to the internet?
HTH, Filipe
Hi,
To implement either 1) or 3) you need to mix iptables and iproute2 to route packages matching specific criteria.
The "Linux Advanced Routing & Traffic Control HOWTO" has a specific section on this, and an example very similar to yours (although they show how to route outgoing e-mail traffic and not incoming).
See this URL: http://lartc.org/howto/lartc.netfilter.html
However, I still think you should re-evaluate your requirements, think of what you're trying to accomplish, and re-architecture your solution based on that.
HTH, Filipe
In the case of the OP, I would urge him to evaluate if that network topology really makes sense. Does it make sense having two hosts with two different connections? In that case, does it make sense to run services like mail/web servers on these hosts? Shouldn't they be dedicated routers/firewalls instead? And do you really need to use port forwarding connections to a host that is already directly connected to the internet?
It doesn't necessarily make sense. This entire project doesn't make sense. The issue is that we are sending confidential patient records through a private network.
Instead of using something like PKI encryption (like I use at the police station where I also work), this business model decided that all mail should be sent out their private network. Then they can check if the receiver should be receiving email in the first place. They originally wanted to take control of my mail server, and I would pick mail up from them for all my users and I said no to that. We are retaining control of our network, and mail server and relaying all outbound mail out this new connection. Incoming mail will transfer as normal from all sources except from this private network which could have confidential patient records, and it needs to come in this new connection from an authenticated mail server to my box.
This project has been dragging out since 2007, and it's really getting on my nerves. They only want to deal with Exchange, and they have been sending instructions out for exchange, even though they know I am using Linux for my server.
I thought I was almost out of the woods until we started testing the port forwarding, and I've run into these hangups.
I think option 2 will work best for me. The box and connection on y.y.y.y is strictly for communicating with this other mail server I need to relay out, and receive only patient records mail from. If I rewrite the packets to appear to be from 10.10.10.4 I think this will work.
What would the best option for this be? I'm thinking I will have to stop using the gshield firewall that I used to use, and jsut write the rules manually in iptables because there will only be 1/2 a dozen or so and once they are wrote, they will be permament.
Thanks for the excellent replies.
Hi,
On Mon, Jan 19, 2009 at 09:58, Thom Paine painethom@gmail.com wrote:
I think option 2 will work best for me. The box and connection on y.y.y.y is strictly for communicating with this other mail server I need to relay out, and receive only patient records mail from. If I rewrite the packets to appear to be from 10.10.10.4 I think this will work.
What would the best option for this be? I'm thinking I will have to stop using the gshield firewall that I used to use, and jsut write the rules manually in iptables because there will only be 1/2 a dozen or so and once they are wrote, they will be permament.
I don't know gshield, but I think that if it supports port forwarding it will probably support rewriting the source address too.
If you want to implement it with iptables, this page has exactly what you need to do it: http://kreiger.linuxgods.com/kiki/?Port+forwarding+with+netfilter
The key part in your case is "The POSTROUTING SNAT rule in the nat-table (optional)", which is what you need to make it look like it's coming from 10.10.0.4.
Let us know how that goes!
HTH, Filipe
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Thom Paine Sent: Monday, January 19, 2009 9:59 AM To: CentOS mailing list Subject: Re: [CentOS] Port Forwarding
In the case of the OP, I would urge him to evaluate if that network topology really makes sense. Does it make sense having two
hosts with
two different connections? In that case, does it make sense to run services like mail/web servers on these hosts? Shouldn't they be dedicated routers/firewalls instead? And do you really need to use port forwarding connections to a host that is already directly connected to the internet?
It doesn't necessarily make sense. This entire project doesn't make sense. The issue is that we are sending confidential patient records through a private network.
--------- It does make sense to me to do it the way you describe.
Then they can check if the receiver should be receiving email in the first place. They
----- Yes, that would be because of HIPAA Law Requirements. They have to do that whether they want to or not. See: hipaa.org and cms.hhs.gov/SecurityStandard/
originally wanted to take control of my mail server, and I would pick mail up from them for all my users and I said no to that. We are retaining control of our network, and mail server and relaying all outbound mail out this new connection. Incoming mail will transfer as normal from all sources except from this private network which could have confidential patient records, and it needs to come in this new connection from an authenticated mail server to my box.
------ I hope you all are using some type of encryption. SSL?
This project has been dragging out since 2007, and it's really getting on my nerves. They only want to deal with Exchange, and they have been sending instructions out for exchange, even though they know I am using Linux for my server.
---------- Probally been draging out since October 07? Exchange Server is you might as well say A lock in for the health care entities. A more of a total groupware solution for mailing calendering And sutch where sendmail is not.
I thought I was almost out of the woods until we started testing the port forwarding, and I've run into these hangups.
I think option 2 will work best for me. The box and connection on y.y.y.y is strictly for communicating with this other mail server I need to relay out, and receive only patient records mail from. If I rewrite the packets to appear to be from 10.10.10.4 I think this will work.
----- Forging packets is one solution to the problem but then another arises within. Sutch as Being compliant with HIPPA and packet fowarding. Although I could not find anything relating to Forwarding ""EPHI"" in HIPPA Rules, it could become a problem later on down the road if the entity gets hit with a E-Discovery for Email. I would seek legal counsel for that
What would the best option for this be? I'm thinking I will have to stop using the gshield firewall that I used to use, and jsut write the rules manually in iptables because there will only be 1/2 a dozen or so and once they are wrote, they will be permament.
-- Use a hardware router and firewall. Whatever you decide to do, document all of it on paper. You can get audited!
Thanks for the excellent replies.
JohnStanley
Well after running into more issues with the connections, we wound up putting a third network card in the main server. They thought this a better solution rather than forwarding the packets.
So now my issue is I have 3 nics.
eth0 - 10.10.10.1/255.255.255.0 eth1 - x.x.x.x/255.255.255.252 - Public Internet connection. eth2 - y.y.y.y/255.255.255.252 - Private Connection.
Someone asked if we were encrypting. Yes, I have a cert in the server that is working. They can't talk to my server unless the cert shows up. This is the way they set their communication channels up.
The problem I think I am now having is that there is a long pause when I try to ssh into the box. I remember something about this from long ago, and thought it was just that the DNS wasn't pointed to 10.10.10.1 as the primary server on my box, but checked this and it is.
I also seem to have trouble connecting to machine from y.y.y.y when the default gateway is set to be eth1's gateway. Do I need 2 gateways listed? I only have the one which is my public one and the one I want as default.
This is starting to look like I need an advanced routing course to be able to get this to work properly. Does anyone have any recommendations on how to set this up properly with the 2 outbound interfaces?
Thanks for the replies thus far. They have been helpful.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Thom Paine Sent: Friday, January 30, 2009 1:11 PM To: CentOS mailing list Subject: Re: [CentOS] Port Forwarding
Well after running into more issues with the connections, we wound up putting a third network card in the main server. They thought this a better solution rather than forwarding the packets.
So now my issue is I have 3 nics.
eth0 - 10.10.10.1/255.255.255.0 eth1 - x.x.x.x/255.255.255.252 - Public Internet connection. eth2 - y.y.y.y/255.255.255.252 - Private Connection.
Someone asked if we were encrypting. Yes, I have a cert in the server that is working. They can't talk to my server unless the cert shows up. This is the way they set their communication channels up.
I asked about that SSL Connection + User being Authenticated.
The problem I think I am now having is that there is a long pause when I try to ssh into the box. I remember something about this from long ago, and thought it was just that the DNS wasn't pointed to 10.10.10.1 as the primary server on my box, but checked this and it is.
Well how busy is the machine in question?
Give more details description of what your trying to accomplish...Last thing you should not even have a running SSH connection on that machine for management. You should be Physically in front of it. That is a what's called a HIPPA Violation.
JohnStanley
Thom Paine wrote:
It doesn't necessarily make sense. This entire project doesn't make sense. The issue is that we are sending confidential patient records through a private network.
Instead of using something like PKI encryption (like I use at the police station where I also work), this business model decided that all mail should be sent out their private network. Then they can check if the receiver should be receiving email in the first place. They originally wanted to take control of my mail server, and I would pick mail up from them for all my users and I said no to that. We are retaining control of our network, and mail server and relaying all outbound mail out this new connection. Incoming mail will transfer as normal from all sources except from this private network which could have confidential patient records, and it needs to come in this new connection from an authenticated mail server to my box.
If this is just for mail, why not run another instance of sendmail to accept and forward between connections so you get logging and a little more control of what is forwarded? If you want fairly complete control you can run something like MimeDefang as a milter and examine it any way you want before accepting. You could run this instance on a different host or bind it to a different IP address and/or port and perhaps require an ssl connection with authentication to connect.
--- Les Mikesell lesmikesell@gmail.com
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Les Mikesell Sent: Saturday, January 31, 2009 12:57 PM To: CentOS mailing list Subject: Re: [CentOS] Port Forwarding
Thom Paine wrote:
It doesn't necessarily make sense. This entire project doesn't make sense. The issue is that we are sending confidential patient records through a private network.
Instead of using something like PKI encryption (like I use at the police station where I also work), this business model decided that all mail should be sent out their private network. Then
they can check
if the receiver should be receiving email in the first place. They originally wanted to take control of my mail server, and I
would pick
mail up from them for all my users and I said no to that. We are retaining control of our network, and mail server and relaying all outbound mail out this new connection. Incoming mail will
transfer as
normal from all sources except from this private network which could have confidential patient records, and it needs to come in this new connection from an authenticated mail server to my box.
If this is just for mail, why not run another instance of sendmail to accept and forward between connections so you get logging and a little more control of what is forwarded? If you want fairly complete control you can run something like MimeDefang as a milter and examine it any way you want before accepting. You could run this instance on a different host or bind it to a different IP address and/or port and perhaps require an ssl connection with authentication to connect.
----- At one facility I work at we have two Exchange servers. One of them is on site and the other is remote hosted. On site mail server accepts ssl and authenticated connections from subnet A and B (two separate facilities). Actually subnet B is wireless then forwards smtp to remote server. Both servers sync with smtp and POP3. Basically the onsite server is a exchange archive server.
Your better off setting up another sendmail server for fowarding and connection handling than going through you Elbow to get to your A$$ if you get what I mean. I tried that route your trying to do.
The reason why they give you only info on Exchange is because it is more reconized in healthcare settings than an open source mail server. Novell would be next up on the list. "OpenVistA" is the only known Open Source server application that is widely accepted in the health care community and that you can have "Certified".
JohnStanley
The other issue we are having is that I need to run LDAP on that server for syncing address books to send email with. So not only do I need mail and LDAP, but I need ssl and authentication and certificates.
I do have another box here that I had planned on using for the forwarding taks, I suppose that I could set it up to accept mail and forward to the main server. The main server could still use the smtp smarthost as the outbound default mailer and go out the second server's connection?
I guess what I really need is a Cisco 515 router. I should have thought of that a while ago.....
On Sat, Jan 31, 2009 at 2:25 PM, John jses27@gmail.com wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Les Mikesell Sent: Saturday, January 31, 2009 12:57 PM To: CentOS mailing list Subject: Re: [CentOS] Port Forwarding
Thom Paine wrote:
It doesn't necessarily make sense. This entire project doesn't make sense. The issue is that we are sending confidential patient records through a private network.
Instead of using something like PKI encryption (like I use at the police station where I also work), this business model decided that all mail should be sent out their private network. Then
they can check
if the receiver should be receiving email in the first place. They originally wanted to take control of my mail server, and I
would pick
mail up from them for all my users and I said no to that. We are retaining control of our network, and mail server and relaying all outbound mail out this new connection. Incoming mail will
transfer as
normal from all sources except from this private network which could have confidential patient records, and it needs to come in this new connection from an authenticated mail server to my box.
If this is just for mail, why not run another instance of sendmail to accept and forward between connections so you get logging and a little more control of what is forwarded? If you want fairly complete control you can run something like MimeDefang as a milter and examine it any way you want before accepting. You could run this instance on a different host or bind it to a different IP address and/or port and perhaps require an ssl connection with authentication to connect.
At one facility I work at we have two Exchange servers. One of them is on site and the other is remote hosted. On site mail server accepts ssl and authenticated connections from subnet A and B (two separate facilities). Actually subnet B is wireless then forwards smtp to remote server. Both servers sync with smtp and POP3. Basically the onsite server is a exchange archive server.
Your better off setting up another sendmail server for fowarding and connection handling than going through you Elbow to get to your A$$ if you get what I mean. I tried that route your trying to do.
The reason why they give you only info on Exchange is because it is more reconized in healthcare settings than an open source mail server. Novell would be next up on the list. "OpenVistA" is the only known Open Source server application that is widely accepted in the health care community and that you can have "Certified".
JohnStanley
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thom Paine wrote:
The other issue we are having is that I need to run LDAP on that server for syncing address books to send email with. So not only do I need mail and LDAP, but I need ssl and authentication and certificates.
Those are all included - why not run them?
I do have another box here that I had planned on using for the forwarding taks, I suppose that I could set it up to accept mail and forward to the main server. The main server could still use the smtp smarthost as the outbound default mailer and go out the second server's connection?
Yes - the one thing to watch out for is the possibility of forwarding to addresses that don't really exist, especially if there is any chance that this server can you can get hit with spam or anything generated by viruses. In this case you'll accept the message and forward it on to another host that will have to generate a bounce message and try to return it, probably also to an undeliverable address. If you have LDAP in the picture you can probably use it as the 'local user' lookup before accepting. Otherwise you might use sendmail's virtuser table to map the legal address to the forwarder so you can quickly reject anything else. Or with MimeDefang you can verify that the destination address will be accepted via SMTP before accepting for forwarding.
I guess what I really need is a Cisco 515 router. I should have thought of that a while ago.....
They are nice to impress people who might ask if you have a firewall, but you can do pretty much the same things with iptables or access lists on your border routers.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Thom Paine Sent: Monday, February 02, 2009 10:31 AM To: CentOS mailing list Subject: Re: [CentOS] Port Forwarding
The other issue we are having is that I need to run LDAP on that server for syncing address books to send email with. So not only do I need mail and LDAP, but I need ssl and authentication and certificates.
I do have another box here that I had planned on using for the forwarding taks, I suppose that I could set it up to accept mail and forward to the main server. The main server could still use the smtp smarthost as the outbound default mailer and go out the second server's connection?
I guess what I really need is a Cisco 515 router. I should have thought of that a while ago.....
---- I am just currious here. Your up to about 2 or 3 mail servers correct? That is for handling 2 different subnets or domains? Lets say domains. Ok? Add on top of that a POP3 or IMAP servers. Now your up to adding in LDAP for user management, slapping in a Cisco PIX 500 Series. How many total users do you need to support? That we don't know. To be completely honest I think your just creating a big mess to keep up with and manage. That is way to much Administration Overhead to put up with in my opinion.
I think that your best solution outcome to this is to use Exchange Server 2007. Scalix can't top what your wanting to do or need to do either. Exchange is fully HIPPA and SOX Compliant. You can do with one exchange server what your trying to get accomplished with 3 sendmail servers. You have right there mail, mail archiving, search by date and name, mail retention policies and backup. If the company gets hit up with a E Discovery for Email pertaining to certain keywords you will have the ability to do so on site with exchange. That happens quit often at times. All of this is now the default standard in Exchange. The big drawback is the cost (per user). A wild guess is $10.00 per user account. Active Directory (ldap) can even run on top of exchange. Also the databases can reside on a SAN now also.
I am an open source person but when it comes to something like that I hate to say it but Exchange has it covered. What's others opinions? How would you do it? I'm currious to know how you would do this in an environment that has many compliance problems. Mainly issues of privacy rights not being violated.
JohnStanley
John wrote:
I am an open source person but when it comes to something like that I hate to say it but Exchange has it covered. What's others opinions? How would you do it? I'm currious to know how you would do this in an environment that has many compliance problems. Mainly issues of privacy rights not being violated.
For a commercial solution, Lotus Domino might be even better. It is cross platform (runs on linux), supports all those same standards for various business standards and audit policies, you get a good web-client, pop and imap in addition to the Notes client (on Windows and Linux only).
Also, it is cheaper than Exchange.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Morten Torstensen Sent: Tuesday, February 03, 2009 2:56 AM To: CentOS mailing list Subject: Re: [CentOS] Port Forwarding
John wrote:
I am an open source person but when it comes to something
like that I hate
to say it but Exchange has it covered. What's others
opinions? How would you
do it? I'm currious to know how you would do this in an
environment that has
many compliance problems. Mainly issues of privacy rights not being violated.
For a commercial solution, Lotus Domino might be even better. It is cross platform (runs on linux), supports all those same standards for various business standards and audit policies, you get a good web-client, pop and imap in addition to the Notes client (on Windows and Linux only).
Also, it is cheaper than Exchange.
----------------- I aggree with using Lotus also except but one thing cost per user. How is it cheaper? I come up with anywhere from $15.00 - $18.00 per user. Albut running on Linux it would be cheaper (no CALs to buy). The other bad thing is the same as Exchange "The Lock In". A plus also to single sign on capabilities.
I hear migration from Lotus Domino to Exchange is cheaper. I do not have a validation on that either. Allbut migrating from Exchange 5.5 and 2000 is a pretty large ROI after complete migration. You pretty much don't need the extra support applications that's required for backup and retention.
JohnStanley
No, I only have one mailserver with one domain I'm managing with about 30 users. I think I have the routing working properly now, as well as the acl's.
I put some route statements on eth2 for the private network and that seems to have resolved issues.
I do have an authentication issue with ldap, but I'll get on the ldap mailing list for that.
Thanks for everyone's help.
-
Filipe Brandenburger -
John -
Les Mikesell -
Morten Torstensen -
nate -
Thom Paine