RH Linux with 2 NICs
Hi All,
I have the following problem: I have a RH9.1 linux box with 2 network cards installed. Both are configured and working correctly. The box obviously have 2 IP addresses and 10.x.x.x address and one which falls in a range of 30 assigend to me by my ISP. The box acts as a router for the subnet allocated to me by the ISP. The box is in my DMZ. The default route on the box is the a 10.x.x.x address. I have no routing issues and all routing from the internet and from my inside LAN is working fine.
The problem is this. The box is a SMTP relay so that my exchange box does not have to be directly exposed to the net. When my box is connecting to the net it is presenting it's self as 10.x.x.x instead of the 196.x.x.x address allocated by my ISP.
How can I make the box connect with the 196.x.x.x address, because currently, I get connection refused errors when I try and connect to anything on the net because the box is presenting it's self as 10.x.x.x which is not routable over the internet. I'm guessing something like MASQ but I'm not sure. Any pointers as to what I can do about this are most well come, as my points allocation will reflect
Thanks in advance
jnbkze
I have the following problem: I have a RH9.1 linux box with 2 network cards installed. Both are configured and working correctly. The box obviously have 2 IP addresses and 10.x.x.x address and one which falls in a range of 30 assigend to me by my ISP. The box acts as a router for the subnet allocated to me by the ISP. The box is in my DMZ. The default route on the box is the a 10.x.x.x address. I have no routing issues and all routing from the internet and from my inside LAN is working fine.
The problem is this. The box is a SMTP relay so that my exchange box does not have to be directly exposed to the net. When my box is connecting to the net it is presenting it's self as 10.x.x.x instead of the 196.x.x.x address allocated by my ISP.
How can I make the box connect with the 196.x.x.x address, because currently, I get connection refused errors when I try and connect to anything on the net because the box is presenting it's self as 10.x.x.x which is not routable over the internet. I'm guessing something like MASQ but I'm not sure. Any pointers as to what I can do about this are most well come, as my points allocation will reflect
Thanks in advance
jnbkze
ASKER
Hi Jlevie,
This is a rough idea of what the connections between my box and my ISP look like
linux box -> DMZ NIC on FW -> External NIC on FW -> My Internet Router -> ISP Router
The DMZ NIC has the 10.x.x.x address
The second NIC on my linux host is 196.x.x.x and the Linux host is acting as a router for the 196.x.x.x subnet allocated to me.
I don't see how I could set up my ISP assigned IP as the default gateway. I don't see how that could work without using my DMZ NIC as the default route and therefore How could I use the 196.x.x.x IP for the default gateway. Wouldn't I need to have a virtual nic on the DMZ interface in the same subnet as the range allocated by the ISP?
--------------------------
internet
--------------------------
|
My Router 196.A.B.X
|
FW External NIC 196.A.B.X
|
FW DMZ NIC 10.x.x.x
|
Linux Host NIC1 10.x.x.x
|
Linux Host NIC2 196.A.C.X
Hopefully this gives a slightly better picture.
jnbkze
This is a rough idea of what the connections between my box and my ISP look like
linux box -> DMZ NIC on FW -> External NIC on FW -> My Internet Router -> ISP Router
The DMZ NIC has the 10.x.x.x address
The second NIC on my linux host is 196.x.x.x and the Linux host is acting as a router for the 196.x.x.x subnet allocated to me.
I don't see how I could set up my ISP assigned IP as the default gateway. I don't see how that could work without using my DMZ NIC as the default route and therefore How could I use the 196.x.x.x IP for the default gateway. Wouldn't I need to have a virtual nic on the DMZ interface in the same subnet as the range allocated by the ISP?
--------------------------
internet
--------------------------
|
My Router 196.A.B.X
|
FW External NIC 196.A.B.X
|
FW DMZ NIC 10.x.x.x
|
Linux Host NIC1 10.x.x.x
|
Linux Host NIC2 196.A.C.X
Hopefully this gives a slightly better picture.
jnbkze
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi :-)
How would you describe "presenting itself"?
Do you mean the SMTP header you see when you telnet port 25?
In order to make your SMTP relay connect to the Internet, would will need to translate its address, just as you would do with any client workstation.
NAT is defined on the firewall. For that purpose, the DMZ works exactly the same way your LAN connects. You have to tell your firewall to translate outgoing connection from 10.x.x.x to an address you will pick (192.A.B.D..). On Linux, this is called SNAT.
Depending on your firewall type, another NAT needs to be defined which forwards SMTP connections from your legal SMTP ip address to your DMZ server. On Linux, this is called DNAT.
In addition to that, you have to open some access controls to your DMZ relay host like so:
1. Allow connection from all addresses to the DMZ host on port 25/tcp
2. Allow the DMZ host to connect to the Internet on port 25/tcp and 53/udp(dns lookups, very important if you resolve using a DNS server your ISP provides).
3. Allow the DMZ host to connect to the internal mail server on port 25/tcp.
If your firewall is/were a Linux host, the commands should be:
# NAT
iptables -t nat -A POSTROUTING -s 10.20.30.40 -j SNAT --to-source 196.A.B.D
iptables -t nat -A POSTROUTING -d 196.A.B.D -j DNAT --to-destination 196.A.B.D
# Access Controls
iptables -A FORWARD -s 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -s 10.20.30.40 -p udp --dport 53 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -d 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
Replace 10.20.30.40 with the actual internal address of your relay host.
Replace 196.A.B.D with your legal SMTP ip address.
Note: The access controls may not fit to your requirements. Do not accept these blindly. They may also not work (e.g. if you do not use states in your fw). Open the access controls as you see fit and check if they allow proper communications.
Enjoy!
How would you describe "presenting itself"?
Do you mean the SMTP header you see when you telnet port 25?
In order to make your SMTP relay connect to the Internet, would will need to translate its address, just as you would do with any client workstation.
NAT is defined on the firewall. For that purpose, the DMZ works exactly the same way your LAN connects. You have to tell your firewall to translate outgoing connection from 10.x.x.x to an address you will pick (192.A.B.D..). On Linux, this is called SNAT.
Depending on your firewall type, another NAT needs to be defined which forwards SMTP connections from your legal SMTP ip address to your DMZ server. On Linux, this is called DNAT.
In addition to that, you have to open some access controls to your DMZ relay host like so:
1. Allow connection from all addresses to the DMZ host on port 25/tcp
2. Allow the DMZ host to connect to the Internet on port 25/tcp and 53/udp(dns lookups, very important if you resolve using a DNS server your ISP provides).
3. Allow the DMZ host to connect to the internal mail server on port 25/tcp.
If your firewall is/were a Linux host, the commands should be:
# NAT
iptables -t nat -A POSTROUTING -s 10.20.30.40 -j SNAT --to-source 196.A.B.D
iptables -t nat -A POSTROUTING -d 196.A.B.D -j DNAT --to-destination 196.A.B.D
# Access Controls
iptables -A FORWARD -s 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -s 10.20.30.40 -p udp --dport 53 -m state --state NEW,INVALID -j ACCEPT
iptables -A FORWARD -d 10.20.30.40 -p tcp --dport 25 -m state --state NEW,INVALID -j ACCEPT
Replace 10.20.30.40 with the actual internal address of your relay host.
Replace 196.A.B.D with your legal SMTP ip address.
Note: The access controls may not fit to your requirements. Do not accept these blindly. They may also not work (e.g. if you do not use states in your fw). Open the access controls as you see fit and check if they allow proper communications.
Enjoy!
Which would be wrong since the default route for this system should be your ISP's router's IP. With it set to the IP it is now the box will try to use the private network (10.x.x.x) and thus a private IP to reach the Internet. By setting the default route correctly it will use an outside IP.