Reply With QuoteTry disabling nat rlated stuff and see if you can get through. That will tell you if it is nat related or something else. One step at a time.
Okay, my BSD rig isnt doing it's job and I cant figure out what I didnt tell it to do right.
I got a pair of DSL lines coming into the gateway, one for email and the other for our web-gui app here at work. *I got the NATing down fine. *It the port forwarding that isnt working right.
For some reason the mail server that it is supposed to forward to (MS - Exchange 5.5) doesnt even see it, and the sender (depeneding on what smtp you are on) may see it as a open relay.
I currently have to get the sucker back up and going, so its back to the old way -- not going thru my gateway, and running that crap firewall BlackICE (very unstable on that box).
I am figuring you want my /etc/nat.conf
and my /etc/pf.conf is comign along for a ride too :)Code:# Declare some variables for ease of use SBC="ne3" MCLEOUD="xl0" LAN="206.190.6.0/24" # Allow LAN to talk to SBC router nat on ne4 from any to 192.168.254.254 -> $SBC nat on ne3 from 206.190.6.249 to 192.168.254.254 -> $SBC # Set basic NAT to occur on MCLeoud DSL line. nat on $MCLEOUD from $LAN to any -> $MCLEOUD # Setup port forwarding on ports for email # SMTP rdr on ne3 proto tcp from any to any port 25 -> 206.190.6.249 port 25 # IMAP rdr on ne3 proto tcp from any to any port 143 -> 206.190.6.249 port 143 # imap3 rdr on ne3 proto tcp from any to any port 220 -> 206.190.6.249 port 220 # IMAP4 rdr on ne3 proto tcp from any to any port 585 -> 206.190.6.249 port 585 # S-IMAP rdr on ne3 proto tcp from any to any port 993 -> 206.190.6.249 port 993 # POP3 rdr on ne3 proto tcp from any to any port 110 -> 206.190.6.249 port 110 # S-POP3 rdr on ne3 proto tcp from any to any port 995 -> 206.190.6.249 port 995
Like I said, I have tried a ton of stuff all day Friday and Saturday (in fact I was bugging the hell out of setient Saturday -- thanks again you did help alot and I appreciate it). *I had originally no screwy nat rules, just the one for natting on xl0, and then the crapload of ports to get piped over there. *I figured it would be safe to trim it slightly and remove the dozen or so udp lines (since AFAIK there are no UDP ports used for mail).Code:# * * * $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $ # See pf.conf(5) for syntax and examples # pass all packets in and out (these are the implicit last two rules) pass in all pass out all scrub in all
Thanks again!
Try disabling nat rlated stuff and see if you can get through. That will tell you if it is nat related or something else. One step at a time
Okay, thanks! Ill give that a try. I cant do anythnig till after work so, I ll try that then.
Just to make sure that its set up right, I should essentially comment out all nat rules and leave the rdr rules in, eh?
Well, thanks again!
In ipf you'd have to put your rdr rules before nat (map) rules. Since it was replaced with pf I'm not sure if it's still true (but pf is supposed to be syntactically compatible with ipf).
Really.... that may prove very helpful!
Thanks!
Here's how I do mine.
nat on fxp1 from 10.1.0.0/16 to any -> fxp1
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 28 -> 10.1.2.2 port 25
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 44 -> 10.1.2.2 port 44
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 45 -> 10.1.2.2 port 45
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 73 -> 10.1.2.2 port 73
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 71 -> 10.1.2.2 port 71
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 75 -> 10.1.2.2 port 75
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 77 -> 10.1.2.2 port 77
rdr on fxp1 proto tcp from any to xxx.xxx.xxx.xxx/32 port 85 -> 10.1.2.2 port 85
Where xxx.xxx.xxx.xxx = your public IP
Here is part of my pf ruleset to follow:
Where xxx.xxx.xxx.xxx is the source ip you want to allow the redirect to come from.pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 25
pass in log quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 44
pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 45
pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 73
pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 71
pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 75
pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 77
pass in quick on $ExtIF proto tcp from xxx.xxx.xxx.xxx/32 to 10.1.2.2 port = 85
This is obviously not my entire ruleset, just the part of the ruleset that allows for the redirects even painfully more obvious is the fact that I run a default deny. Which is the way to go with pf. A pass in Pass out ruleset doesn't really provide you with that much protection.
Thank you! I will try that. I am currently trying to figure this one out still. For some reason, I am being told that I really need to use a fourth NIC. Well that is not looking like it will be an easy task. OBSD refuses to see more than 3 NICs in the box. And for shits and giggles, I threw up a RH 7.3 box to use as a test bed to see if it is easier in linux (which is answered with a resounding HELL FRIGGIN NO). RH will see the cards with a stock kernel (which has no IP tables / netfilter support) As soon as I recomile to add in that support, all of the previous work on getting the NICs setup is shot down the tube.
Am I just a moron? Is that why it is not working ;D
But again, thanks! Ill give it a shot. That does sound rather similar to my original settings though I used. Oh well, I shall see -- wont I?
I actually got to thinking about this quite a bit this afternoon. You have two DSL lines. Are you trying to route between them? If you are you don't need a redirect rule you need a route. Routes can be added fairly easily.
Where 10.20.21.0/24 is the destination subnet and 10.20.20.254 is the local gateway. I'm not sure this will work for you, I really need some more information but it sounds like your trying to route to another subnet through your OpenBSD box.Open up
/etc/netstart
go to the end of the file and add a route to the network of the subnet you are trying to access. I.E.
route add 10.20.21.0/24 10.20.20.254
Maybe this will help, I could be completely off base here, hard to answer without seeing exactly what it is you are trying to do.
Just to clarify my needs:
I have 2 DSL pipes, 1 for general internet needs for the company and our webGUI app for doing some work with SBC/Ameritech; and the other for our email and ftp (ougoing only, but the servers all need as authentication our IP)
I have 3 NICS as of now in there to do each DSL pipe and of course the LAN. I want to remove our mail server from the SBC DSL router (the router has NAT built in which was what we were using, and used BlackICE to filter naughty people out). Amerivoice1, our mail server has been acting rather badly as of lately, and operates at its best when the firewall is disabled. I jsut couldnt figure out how to get the damn gateway to route the packets for AVO1. I was getting all kinds of problems -- most importantly not being able to (with the rules enacted and the router set to map mail.amerivoice.com to the gateway instead of AVO1) ping mail.amerivoice.com. Other problems also popped up too, but I figure if could at least ping the damn thing I should be okay from there.
I will get about trying the route idea you have today sometime and let you know hwo well it fared for me. Again I appreciate your help. Its nice to have knowledgable BSD gurus around ;D
[me=Schotty]slides elmore a big stein of Guiness.[/me]
Duh...
I almost forgot some extra stuff ....
LAN = 206.190.6.0/24
SBC = 192.168.254.0/24
MCLeod = 192.168.1.0/24
Currently I have a line going from the gateway from the NICS to all of the previous elements
LAN IP = 206.190.6.222
SBC = 192.168.254.2
MCLeod = 192.168.1.2
Amerivoice 1, our mail server, is 206.190.6.249. What originally tried and failed on was a rdr from the SBC_if to 206.190.6.249 for all ports (after the individual port idea failed, figure try to get it working first, then get fancy).
As soon as I get time today I am going to try it out.
Edit: Okay, I am looking at the /etc/netstart and get what it does, but for the route add command, I am not seeing that great of specific documnetation at www.openbsd.org. How is that going to map the IP to AVO1 or push the mail packets over? Shall I use route add + rdr to accomplish this?
and here is a copy of what is going on as of right now:
Code:$ cat /etc/nat.conf #Name the adapters to the above specifications MCLEOD="xl0" EXCHANGE="ne1" SBC="ne3" LAN="ne4" # NAT Rules # Use the MCLEOD DSL pipe for LAN internet connectivity nat on $MCLEOD from 206.190.6.0/24 to any -> $MCLEOD # Use the SBC DSL pipe for LAN internet connectivity # nat on $SC from $LAN to any -> $SBCCode:$ cat /etc/pf.conf # Setup a variable for who IS allowed to go online FullInternetIPs="{206.190.6.18/32, 206.190.6.3/32, 206.190.6.8/32, 206.190.6.11/32, 206.190.6.32/32, 206.190.6.56/32, 206.190.6.97/32, 206.190.6.111/32, 206.190.6.156/32, 206.190.6.211/32, 206.190.6.222/32, 206.190.6.243/32, 206.190.6.247/32, 206.190.6.249/32}" WAN="xl0" LAN="ne4" SBC="{209.184.193.164/32,216.239.51.101/32}" DNS="{206.141.239.126/32,206.141.251.2/32, 209.253.113.18/32,209.253.113.10/32}" LONG_DISTANCE="{209.25.87.227/32,216.47.168.105/32}" # Microsoft's Evil Empire EVIL_EMPIRE="{207.46.197.100/32, 207.46.197.102/32, 207.46.230.218/32, 207.46.230.219/32, 207.46.226.19/32, 65.54.249.126/32, 207.68.131.197/32, 65.54.249.62/32, 207.46.226.17/32}" # Default Rules pass out quick on $LAN all pass in quick on $LAN from any to 206.190.6.222/32 pass in quick on $LAN from $FullInternetIPs to any pass in quick on $LAN from any to $SBC pass in quick on $LAN from any to $DNS pass in quick on $LAN from any to $LONG_DISTANCE pass in quick on $LAN from any to $EVIL_EMPIRE pass in quick on ne3 proto tcp from any to any port 22 block in log on $LAN all
Posting Permissions
Bookmarks