[Shorewall-users] Problem with outgoing Masquerade

Stephen Carville stephen at totalflood.com
Tue Mar 1 16:11:58 PST 2005


I'm having another little problem with my new firewall.  I want outgoing port 
25 from my mail server to appear on the address 65.223.121.227 so I created 
the file masq:

eth2  192.168.124.18  65.223.121.227  tcp  25
eth1            eth5
eth1            eth3
eth1            eth4

eth1 == net0 == 209.189.103.196/27
eth2 == net1 == 65.223.121.237/28
eth3 == dmz0
eth4 == dmz1
eth5 == loc == 192.168.124.249/24

(Yes I know the danger of having a production server in the local network.  I 
inherited this setup and I am trying to fix it)

65.223.121.227 is on eth2:1

Shorewall restarts cleanly and I see in the status:

   0     0 SNAT       tcp  --  *      *       192.168.124.18       0.0.0.0/0  
tcp dpt:25 to:65.223.121.227

Next I log onto 192.168.124.18 and initate an outbound connection to port 25 
on a machine in another Autonomous System.

$ telnet 216.117.196.95 25
Trying 216.117.196.95...
Connected to 216.117.196.95.
Escape character is '^]'.
220 mail.heronforge.net ESMTP Postfix
quit
221 Bye
Connection closed by foreign host.

On eth5 on the firewall I see:

15:25:15.473608 192.168.124.18.36587 > 216.117.196.95.smtp: S 
772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp 645676248 
0,nop,wscale 0> (DF) [tos 0x10]
15:25:15.503249 216.117.196.95.smtp > 192.168.124.18.36587: S 
1219378846:1219378846(0) ack 772082251 win 5792 <mss 1460,sackOK,timestamp 
427958860 645676248,nop,wscale 2> (DF)
15:25:15.503403 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 1 win 5840 
<nop,nop,timestamp 645676251 427958860> (DF) [tos 0x10]
15:25:15.866525 216.117.196.95.smtp > 192.168.124.18.36587: P 1:40(39) ack 1 
win 1448 <nop,nop,timestamp 427959228 645676251> (DF)
15:25:15.866743 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 40 win 5840 
<nop,nop,timestamp 645676287 427959228> (DF) [tos 0x10]
15:25:17.865766 192.168.124.18.36587 > 216.117.196.95.smtp: P 1:7(6) ack 40 
win 5840 <nop,nop,timestamp 645676487 427959228> (DF) [tos 0x10]
15:25:17.889344 216.117.196.95.smtp > 192.168.124.18.36587: . ack 7 win 1448 
<nop,nop,timestamp 427961252 645676487> (DF)
15:25:17.901743 216.117.196.95.smtp > 192.168.124.18.36587: P 40:49(9) ack 7 
win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
15:25:17.902264 192.168.124.18.36587 > 216.117.196.95.smtp: . ack 49 win 5840 
<nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
15:25:17.908362 216.117.196.95.smtp > 192.168.124.18.36587: F 49:49(0) ack 7 
win 1448 <nop,nop,timestamp 427961253 645676487> (DF)
15:25:17.908763 192.168.124.18.36587 > 216.117.196.95.smtp: F 7:7(0) ack 50 
win 5840 <nop,nop,timestamp 645676491 427961253> (DF) [tos 0x10]
15:25:17.932752 216.117.196.95.smtp > 192.168.124.18.36587: . ack 8 win 1448 
<nop,nop,timestamp 427961295 645676491> (DF)

This is what I expect.  However on the target machine:

15:25:15.477122 IP 209.189.103.196.36587 > 216.117.196.95.smtp: S 
772082250:772082250(0) win 5840 <mss 1460,sackOK,timestamp 645676248 
0,nop,wscale 0>
15:25:15.477160 IP 216.117.196.95.smtp > 209.189.103.196.36587: S 
1219378846:1219378846(0) ack 772082251 win 5792 <mss 1460,sackOK,timestamp 
427958860 645676248,nop,wscale 2>
15:25:15.506939 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 1 win 
5840 <nop,nop,timestamp 645676251 427958860>
15:25:15.844588 IP 216.117.196.95.smtp > 209.189.103.196.36587: P 1:40(39) ack 
1 win 1448 <nop,nop,timestamp 427959228 645676251>
15:25:15.869751 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 40 win 
5840 <nop,nop,timestamp 645676287 427959228>
15:25:17.869000 IP 209.189.103.196.36587 > 216.117.196.95.smtp: P 1:7(6) ack 
40 win 5840 <nop,nop,timestamp 645676487 427959228>
15:25:17.869021 IP 216.117.196.95.smtp > 209.189.103.196.36587: . ack 7 win 
1448 <nop,nop,timestamp 427961252 645676487>
15:25:17.869266 IP 216.117.196.95.smtp > 209.189.103.196.36587: P 40:49(9) ack 
7 win 1448 <nop,nop,timestamp 427961253 645676487>
15:25:17.869532 IP 216.117.196.95.smtp > 209.189.103.196.36587: F 49:49(0) ack 
7 win 1448 <nop,nop,timestamp 427961253 645676487>
15:25:17.906320 IP 209.189.103.196.36587 > 216.117.196.95.smtp: . ack 49 win 
5840 <nop,nop,timestamp 645676491 427961253>
15:25:17.911918 IP 209.189.103.196.36587 > 216.117.196.95.smtp: F 7:7(0) ack 
50 win 5840 <nop,nop,timestamp 645676491 427961253>
15:25:17.911935 IP 216.117.196.95.smtp > 209.189.103.196.36587: . ack 8 win 
1448 <nop,nop,timestamp 427961295 645676491>

Instead of replacing the 192.168.124.18 with 65.223.121.227, I get a source 
address of 209.189.103.196.  Is this the correct behavior?  If so how do I 
get the source address on outgoing packets NAT'ed to 65.223.121.227?


-- 
Stephen Carville
Unix and Network Adminstrator
Nationwide-Totalflood
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602


More information about the Shorewall-users mailing list