Why won't vyatta allow SMTP through my firewall?

Posted by Solignis on Server Fault See other posts from Server Fault or by Solignis
Published on 2011-11-27T04:12:55Z Indexed on 2011/11/27 9:54 UTC
Read the original article Hit count: 367

Filed under:
|
|
|

I am setting up a vyatta router on VMware ESXi,

But I see to have hit a major snag, I could not get my firewall and NAT to work correctly.

I am not sure what was wrong with NAT but it "seems" to be working now. But the firewall is not allowing traffic from my WAN interface (eth0) to my LAN (eth1). I can confirm its the firewall because I disabled all firewall rules and everything worked with just NAT. If put the firewalls (WAN and LAN) back in place nothing can get through to port 25.

I am not really sure what the issue could be I am using pretty basic firewall rules, I wrote the rules while looking at the vyatta docs so unless there is something odd with the documentation they "should" be working.

Here is my NAT rules so far;

vyatta@gateway# show service nat
 rule 20 {
     description "Zimbra SNAT #1"
     outbound-interface eth0
     outside-address {
         address 74.XXX.XXX.XXX
     }
     source {
         address 10.0.0.17
     }
     type source
 }
 rule 21 {
     description "Zimbra SMTP #1"
     destination {
         address 74.XXX.XXX.XXX
         port 25
     }
     inbound-interface eth0
     inside-address {
         address 10.0.0.17
     }
     protocol tcp
     type destination
 }
 rule 100 {
     description "Default LAN -> WAN"
     outbound-interface eth0
     outside-address {
         address 74.XXX.XXX.XXX
     }
     source {
         address 10.0.0.0/24
     }
     type source
 }

Then here is my firewall rules, this is where I believe the problem is.

vyatta@gateway# show firewall
 all-ping enable
 broadcast-ping disable
 conntrack-expect-table-size 4096
 conntrack-hash-size 4096
 conntrack-table-size 32768
 conntrack-tcp-loose enable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name LAN_in {
     rule 100 {
         action accept
         description "Default LAN -> any"
         protocol all
         source {
             address 10.0.0.0/24
         }
     }
 }
 name LAN_out {
 }
 name LOCAL {
     rule 100 {
         action accept
         state {
             established enable
         }
     }
 }
 name WAN_in {
     rule 20 {
         action accept
         description "Allow SMTP connections to MX01"
         destination {
             address 74.XXX.XXX.XXX
             port 25
         }
         protocol tcp
     }
     rule 100 {
         action accept
         description "Allow established connections back through"
         state {
             established enable
         }
     }
 }
 name WAN_out {
 }
 receive-redirects disable
 send-redirects enable
 source-validation disable
 syn-cookies enable

SIDENOTE

To test for open ports I have using this website, http://www.yougetsignal.com/tools/open-ports/, it showed port 25 as open without the firewall rules and closed with the firewall rules.

UPDATE

Just to see if the firewall was working properly I made a rule to block SSH from the WAN interface. When I checked for port 22 on my primary WAN address it said it was still open even though I outright blocked the port.

Here is the rule I used;

 rule 21 {
     action reject
     destination {
         address 74.219.80.163
         port 22
     }
     protocol tcp
 }

So now I am convinced either I am doing something wrong or the firewall is not working like it should.

© Server Fault or respective owner

Related posts about networking

Related posts about firewall