Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 15 November 2024, 06:51:51 am

Login with username, password and session length

Get the new Updates directly from Endian  HERE
14255 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  EFW SMTP, HTTP, SIP, FTP Proxy Support
| | |-+  Does not work mail (the bat) from other subnet
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Does not work mail (the bat) from other subnet  (Read 148276 times)
ges35
Full Member
***
Offline Offline

Posts: 10


« on: Friday 09 October 2009, 12:27:55 pm »

Costs EFW2.2
There are two subnets 192.168.0.0 and 192.168.1.0 authorisation is customised windows.
Subnet 192.168.1.0 route in a subnet 192.168.0.0.
In a subnet 192.168.0.0 mail, icq, the bat is customised, all perfectly works.
In proxy customisations has added a subnet 192.168.1.0 – on http computers from this subnet work
And here the bat does not work.
Prompt what to customise that the bat has earned
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #1 on: Monday 19 October 2009, 05:01:03 am »

I dont know what you are refering to with "the bat". Clerify this please.

Also is there an error message returned to the clients?

I think you are referring to web proxy, and that your 192.168.0.0 cannot authenticate or have access? If thats the case check your Allowed subnets per zone on on the HTTP Proxy configuration page. Add the 192.168.0.0/255.255.255.0 to the Green interface or witch ever interface it is on.
Logged
ges35
Full Member
***
Offline Offline

Posts: 10


« Reply #2 on: Monday 19 October 2009, 11:59:10 am »

It is customised windows auntification
The subnet 192.168.0.0 works perfectly and http all works also mail clients on pop and smtp are connected to external mail servers on the Internet and work.

In section network-> routeing  , routeing of a subnet 192.168.1.0 in a subnet 192.168.0.0

Computers from both subnets ping each other.
Вразделе proxy-> configuration-> Allowed Subnets per Zone ,allow a subnet 192.168.1.0

After that has earned firefox - on http, and here mail clients are not connected to external mail servers, pop3 and smtp do not work.

The question that needs to be customised that mail clients from a subnet 192.168.1.0 have earned.

My topology
192.168.0.0/24------------------------------------>
                                                                         \
                                                                          |hub|-->192.168.0.1(green)||10.10.10.1(red)-->inet
                                                                         /
192.168.1.0/24-->192.1681.11||192.168.0.11-------> 
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #3 on: Tuesday 20 October 2009, 12:08:50 am »

What is this device, 192.1681.11||192.168.0.11------->  ?

My guess from the way you drew this is its another router? if so what is its gateway? It should be 192.168.0.1.

Also do a traceroute(tracert) from your 192.168.1.0 network to google or some other internet site and lets see the results.
Logged
ges35
Full Member
***
Offline Offline

Posts: 10


« Reply #4 on: Tuesday 20 October 2009, 02:02:17 pm »

device, 192.1681.11||192.168.0.11 cisco
It is customised  router: default-gateway 192.168.0.1
As it is all work in the test instead of efw has put work ISA server all mail works also and tracet peses

I put efw
tracert reaches to 192.168.1.11 - destination host unreachable
tracert 10.10.10.1 - destination host unreachable
tracert 192.168.0.1 ok

windows auntifikation - can disturb?

On idea firewall should by squid start up mail and windows auntifikation should not disturb
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #5 on: Wednesday 21 October 2009, 06:53:59 am »

Your router is it doing DHCP for the 192.168.1.0 network? if so check your dns settings, have them be the same as those you get from the 192.168.0.0 network.

Have you set a client's proxy setting directly for 192.168.0.1 port 8080 and have it fail? Are you getting an error page?

Im thinking your router is not passing info for the wpad scripts to setup the clients proxy settings. So check your DNS settings at the clients, and proxy settings.
Logged
ges35
Full Member
***
Offline Offline

Posts: 10


« Reply #6 on: Thursday 22 October 2009, 02:10:51 am »

DHCP it is switched off.
Customisations wpad records too are disconnected, in web a browser set a client's proxy setting directly for 192.168.0.1 port 8080 and with these customisations all works. Proxy broad gulls register the user and on what sites it has come. In general as I have told above on http all perfectly works in both subnets both in 192.168.0.0 and in 19192.168.1.0. ping from a subnet 192.168.1.0 too are visible in broad gulls
DNS too it turns out that is correctly customised.

And the mail in any way does not wish to work, I think that that with customisations iptables. Here that has told iptables-save

-A INPUT -m state --state NEW -j INPUTTRAFFIC
-A INPUT -j LOG_INPUT
-A FORWARD -j ipac~fi
-A FORWARD -j ipac~fo
-A FORWARD -j OPENVPNCLIENTDHCP
-A FORWARD -j OPENVPNDHCP
-A FORWARD -j BADTCP
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j NEWNOTSYN
-A FORWARD -j CUSTOMFORWARD
-A FORWARD -m state --state RELATED,ESTABLISHED -j ALLOW
-A FORWARD -p icmp -j ICMP_LOGDROP
-A FORWARD -i lo -m state --state NEW -j ALLOW
-A FORWARD -s 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP
-A FORWARD -d 127.0.0.0/255.0.0.0 -m state --state NEW -j DROP
-A FORWARD -j HAFORWARD
-A FORWARD -m state --state NEW -j PORTFWACCESS
-A FORWARD -j VPNTRAFFIC
-A FORWARD -m state --state NEW -j OUTGOINGFW
-A FORWARD -m state --state NEW -j ZONETRAFFIC
-A FORWARD -j LOG_FORWARD
-A INPUTFW -i eth2 -p tcp -m tcp --dport 22 -j NFLOG --nflog-prefix "INPUTFW:ACCEPT:1"
-A INPUTFW -i eth2 -p tcp -m tcp --dport 22 -j ALLOW
-A INPUTFW -i eth2 -p tcp -m tcp --dport 10443 -j NFLOG --nflog-prefix "INPUTFW:ACCEPT:2"
-A INPUTFW -i eth2 -p tcp -m tcp --dport 10443 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 80 -j NFLOG --nflog-prefix "ADMIN:ACCEPT:3"
-A INPUTFW -i br0 -p tcp -m tcp --dport 80 -j ALLOW
-A INPUTFW -i br2 -p tcp -m tcp --dport 80 -j NFLOG --nflog-prefix "ADMIN:ACCEPT:3"
-A INPUTFW -i br2 -p tcp -m tcp --dport 80 -j ALLOW
-A INPUTFW -i br1 -p tcp -m tcp --dport 80 -j NFLOG --nflog-prefix "ADMIN:ACCEPT:3"
-A INPUTFW -i br1 -p tcp -m tcp --dport 80 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 10443 -j NFLOG --nflog-prefix "ADMIN:ACCEPT:4"
-A INPUTFW -i br0 -p tcp -m tcp --dport 10443 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 3001 -j NFLOG --nflog-prefix "NTOP:ACCEPT:5"
-A INPUTFW -i br0 -p tcp -m tcp --dport 3001 -j ALLOW
-A INPUTFW -i br2 -p tcp -m tcp --dport 3001 -j NFLOG --nflog-prefix "NTOP:ACCEPT:5"
-A INPUTFW -i br2 -p tcp -m tcp --dport 3001 -j ALLOW
-A INPUTFW -i br1 -p tcp -m tcp --dport 3001 -j NFLOG --nflog-prefix "NTOP:ACCEPT:5"
-A INPUTFW -i br1 -p tcp -m tcp --dport 3001 -j ALLOW
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i br0 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i br2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i br1 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 8 -j ALLOW
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j NFLOG --nflog-prefix "PING:ACCEPT:6"
-A INPUTFW -i ipsec+ -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name xticmp -m icmp --icmp-type 30 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i br0 -p tcp -m tcp --dport 53 -j ALLOW
-A INPUTFW -i br0 -p udp -m udp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i br0 -p udp -m udp --dport 53 -j ALLOW
-A INPUTFW -i br2 -p tcp -m tcp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i br2 -p tcp -m tcp --dport 53 -j ALLOW
-A INPUTFW -i br2 -p udp -m udp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i br2 -p udp -m udp --dport 53 -j ALLOW
-A INPUTFW -i br1 -p tcp -m tcp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i br1 -p tcp -m tcp --dport 53 -j ALLOW
-A INPUTFW -i br1 -p udp -m udp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i br1 -p udp -m udp --dport 53 -j ALLOW
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 53 -j ALLOW
-A INPUTFW -i ipsec+ -p udp -m udp --dport 53 -j NFLOG --nflog-prefix "DNS:ACCEPT:7"
-A INPUTFW -i ipsec+ -p udp -m udp --dport 53 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 22 -j NFLOG --nflog-prefix "SSH:ACCEPT:8"
-A INPUTFW -i br0 -p tcp -m tcp --dport 22 -j ALLOW
-A INPUTFW -i eth2 -p gre -j NFLOG --nflog-prefix "IPSEC:ACCEPT:9"
-A INPUTFW -i eth2 -p gre -j ALLOW
-A INPUTFW -i eth2 -p esp -j NFLOG --nflog-prefix "IPSEC:ACCEPT:9"
-A INPUTFW -i eth2 -p esp -j ALLOW
-A INPUTFW -i eth2 -p ah -j NFLOG --nflog-prefix "IPSEC:ACCEPT:9"
-A INPUTFW -i eth2 -p ah -j ALLOW
-A INPUTFW -i eth2 -p udp -m udp --dport 500 -j NFLOG --nflog-prefix "IPSEC:ACCEPT:10"
-A INPUTFW -i eth2 -p udp -m udp --dport 500 -j ALLOW
-A INPUTFW -i eth2 -p udp -m udp --dport 4500 -j NFLOG --nflog-prefix "IPSEC:ACCEPT:10"
-A INPUTFW -i eth2 -p udp -m udp --dport 4500 -j ALLOW
-A INPUTFW -i br2 -p gre -j NFLOG --nflog-prefix "IPSEC:ACCEPT:11"
-A INPUTFW -i br2 -p gre -j ALLOW
-A INPUTFW -i br2 -p esp -j NFLOG --nflog-prefix "IPSEC:ACCEPT:11"
-A INPUTFW -i br2 -p esp -j ALLOW
-A INPUTFW -i br2 -p ah -j NFLOG --nflog-prefix "IPSEC:ACCEPT:11"
-A INPUTFW -i br2 -p ah -j ALLOW
-A INPUTFW -i br2 -p udp -m udp --dport 500 -j NFLOG --nflog-prefix "IPSEC:ACCEPT:12"
-A INPUTFW -i br2 -p udp -m udp --dport 500 -j ALLOW
-A INPUTFW -i br2 -p udp -m udp --dport 4500 -j NFLOG --nflog-prefix "IPSEC:ACCEPT:12"
-A INPUTFW -i br2 -p udp -m udp --dport 4500 -j ALLOW
-A INPUTFW -i br1 -p gre -j NFLOG --nflog-prefix "IPSEC:ACCEPT:13"
-A INPUTFW -i br1 -p gre -j ALLOW
-A INPUTFW -i br1 -p esp -j NFLOG --nflog-prefix "IPSEC:ACCEPT:13"
-A INPUTFW -i br1 -p esp -j ALLOW
-A INPUTFW -i br1 -p ah -j NFLOG --nflog-prefix "IPSEC:ACCEPT:13"
-A INPUTFW -i br1 -p ah -j ALLOW
-A INPUTFW -i br1 -p udp -m udp --dport 500 -j NFLOG --nflog-prefix "IPSEC:ACCEPT:14"
-A INPUTFW -i br1 -p udp -m udp --dport 500 -j ALLOW
-A INPUTFW -i br1 -p udp -m udp --dport 4500 -j NFLOG --nflog-prefix "IPSEC:ACCEPT:14"
-A INPUTFW -i br1 -p udp -m udp --dport 4500 -j ALLOW
-A INPUTFW -i br0 -p udp -m udp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i br0 -p udp -m udp --dport 123 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i br0 -p tcp -m tcp --dport 123 -j ALLOW
-A INPUTFW -i br2 -p udp -m udp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i br2 -p udp -m udp --dport 123 -j ALLOW
-A INPUTFW -i br2 -p tcp -m tcp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i br2 -p tcp -m tcp --dport 123 -j ALLOW
-A INPUTFW -i br1 -p udp -m udp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i br1 -p udp -m udp --dport 123 -j ALLOW
-A INPUTFW -i br1 -p tcp -m tcp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i br1 -p tcp -m tcp --dport 123 -j ALLOW
-A INPUTFW -i ipsec+ -p udp -m udp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i ipsec+ -p udp -m udp --dport 123 -j ALLOW
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 123 -j NFLOG --nflog-prefix "NTP:ACCEPT:15"
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 123 -j ALLOW
-A INPUTFW -i br0 -p tcp -m tcp --dport 8080 -j NFLOG --nflog-prefix "HTTP:ACCEPT:16"
-A INPUTFW -i br0 -p tcp -m tcp --dport 8080 -j ALLOW
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 8080 -j NFLOG --nflog-prefix "HTTP:ACCEPT:16"
-A INPUTFW -i ipsec+ -p tcp -m tcp --dport 8080 -j ALLOW
-A INPUTFW -i br2 -p tcp -m tcp --dport 8080 -j NFLOG --nflog-prefix "HTTP:ACCEPT:17"
-A INPUTFW -i br2 -p tcp -m tcp --dport 8080 -j ALLOW
-A INPUTFW -i br1 -p tcp -m tcp --dport 8080 -j NFLOG --nflog-prefix "HTTP:ACCEPT:18"
-A INPUTFW -i br1 -p tcp -m tcp --dport 8080 -j ALLOW
-A INPUTFW_LOGDROP -j DROP
-A INPUTTRAFFIC -i ipsec+ -j INPUTFW
-A INPUTTRAFFIC -i ipsec+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -i tap+ -j INPUTFW
-A INPUTTRAFFIC -i tap+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -m physdev  --physdev-in tap+ -j INPUTFW
-A INPUTTRAFFIC -m physdev  --physdev-in tap+ -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -i br0 -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUTTRAFFIC -i br0 -j INPUTFW
-A INPUTTRAFFIC -i br0 -j INPUTFW_LOGDROP
-A INPUTTRAFFIC -j INPUTFW
-A NEWNOTSYN -i br0 -o br0 -j RETURN
-A NEWNOTSYN -i tap+ -j RETURN
-A NEWNOTSYN -o tap+ -j RETURN
-A NEWNOTSYN -j NEWNOTSYN_LOGDROP
-A NEWNOTSYN_LOGDROP -j DROP
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 80 -j ALLOW
-A OUTGOINGFW -i br2 -o eth2 -p tcp -m tcp --dport 80 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 443 -j ALLOW
-A OUTGOINGFW -i br2 -o eth2 -p tcp -m tcp --dport 443 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 21 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 25 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 110 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 143 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 995 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 993 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p tcp -m tcp --dport 53 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p udp -m udp --dport 53 -j ALLOW
-A OUTGOINGFW -i br1 -o eth2 -p tcp -m tcp --dport 53 -j ALLOW
-A OUTGOINGFW -i br1 -o eth2 -p udp -m udp --dport 53 -j ALLOW
-A OUTGOINGFW -i br2 -o eth2 -p tcp -m tcp --dport 53 -j ALLOW
-A OUTGOINGFW -i br2 -o eth2 -p udp -m udp --dport 53 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 8 -j ALLOW
-A OUTGOINGFW -i br0 -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 30 -j ALLOW
-A OUTGOINGFW -i br1 -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 8 -j ALLOW
-A OUTGOINGFW -i br1 -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 30 -j ALLOW
-A OUTGOINGFW -i br2 -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 8 -j ALLOW
-A OUTGOINGFW -i br2 -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 30 -j ALLOW
-A OUTGOINGFW -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 8 -j ALLOW
-A OUTGOINGFW -o eth2 -p icmp -m hashlimit --hashlimit 3/sec --hashlimit-mode srcip,dstip --hashlimit-name outicmp -m icmp --icmp-type 30 -j ALLOW
-A OUTPUT -j ipac~i
-A OUTPUT -j CUSTOMOUTPUT
-A VPNFW -j ALLOW
-A VPNFW_LOGDROP -j DROP
-A VPNTRAFFIC -o ipsec+ -j VPNFW
-A VPNTRAFFIC -o ipsec+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -i ipsec+ -j VPNFW
-A VPNTRAFFIC -i ipsec+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -o tap+ -j VPNFW
-A VPNTRAFFIC -o tap+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -i tap+ -j VPNFW
-A VPNTRAFFIC -i tap+ -j VPNFW_LOGDROP
-A VPNTRAFFIC -m physdev  --physdev-out tap+ --physdev-is-bridged -j VPNFW
-A VPNTRAFFIC -m physdev  --physdev-out tap+ --physdev-is-bridged -j VPNFW_LOGDROP
-A VPNTRAFFIC -m physdev  --physdev-in tap+ -j VPNFW
-A VPNTRAFFIC -m physdev  --physdev-in tap+ -j VPNFW_LOGDROP
-A ZONEFW -i br0 -o br0 -j NFLOG --nflog-prefix "ZONEFW:ACCEPT:1"
-A ZONEFW -i br0 -o br0 -j ALLOW
-A ZONEFW -i br0 -o br2 -j NFLOG --nflog-prefix "ZONEFW:ACCEPT:2"
-A ZONEFW -i br0 -o br2 -j ALLOW
-A ZONEFW -i br0 -o br1 -j NFLOG --nflog-prefix "ZONEFW:ACCEPT:3"
-A ZONEFW -i br0 -o br1 -j ALLOW
-A ZONEFW -i br2 -o br2 -j NFLOG --nflog-prefix "ZONEFW:ACCEPT:4"
-A ZONEFW -i br2 -o br2 -j ALLOW
-A ZONEFW -i br1 -o br1 -j NFLOG --nflog-prefix "ZONEFW:ACCEPT:5"
-A ZONEFW -i br1 -o br1 -j ALLOW
-A ZONEFW_LOGDROP -j DROP
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW
-A ZONETRAFFIC -i br0 -o br0 -j ZONEFW_LOGDROP
-A ipac~fi -i br0
-A ipac~fi -i eth2
-A ipac~fo -o br0
-A ipac~fo -o eth2
-A ipac~i -o br0
-A ipac~i -o eth2
-A ipac~o -i br0
-A ipac~o -i eth2
COMMIT
# Completed on Wed Oct 21 23:38:59 2009
# Generated by iptables-save v1.3.8 on Wed Oct 21 23:38:59 2009
*nat
:PREROUTING ACCEPT [15916:1182210]
:POSTROUTING ACCEPT [101:12180]
:OUTPUT ACCEPT [457:39172]
:CONTENTFILTER - [0:0]
:CUSTOMPOSTROUTING - [0:0]
:CUSTOMPREROUTING - [0:0]
:DNSMASQ - [0:0]
:OPENVPNCLIENT - [0:0]
:PORTFW - [0:0]
:POSTPORTFW - [0:0]
:SIPROXDPORTFW - [0:0]
:SMTPSCAN - [0:0]
:SOURCENAT - [0:0]
:SQUID - [0:0]
-A PREROUTING -j CUSTOMPREROUTING
-A PREROUTING -j SIPROXDPORTFW
-A PREROUTING -j CONTENTFILTER
-A PREROUTING -j SQUID
-A PREROUTING -j DNSMASQ
-A PREROUTING -j PORTFW
-A POSTROUTING -j CUSTOMPOSTROUTING
-A POSTROUTING -j OPENVPNCLIENT
-A POSTROUTING -j SOURCENAT
-A POSTROUTING -j POSTPORTFW
-A OUTPUT -j PORTFW
-A CUSTOMPREROUTING -p tcp -m tcp --dport 25 -j SMTPSCAN
-A SOURCENAT -o eth2 -j SNAT --to-source 10.10.10.1
COMMIT
# Completed on Wed Oct 21 23:38:59 2009

ifconfig
br0       Link encap:Ethernet  HWaddr 00:04:AC:E6:DC:B9
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27064 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1625 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2037971 (1.9 MiB)  TX bytes:488906 (477.4 KiB)

eth0      Link encap:Ethernet  HWaddr 00:04:AC:E6:DC:B9
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:27081 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1631 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2422118 (2.3 MiB)  TX bytes:489394 (477.9 KiB)
          Interrupt:20

eth1      Link encap:Ethernet  HWaddr 00:90:27:24:57:36
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:21

eth2      Link encap:Ethernet  HWaddr 00:17:31:0C:E8:5F
          inet addr:10.10.10.1  Bcast:10.10.10.255  Mask:255.255.255.0  (ip invented)
          inet6 addr: fe80::217:31ff:fe0c:e85f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:34415 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17438 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:27446329 (26.1 MiB)  TX bytes:2617228 (2.4 MiB)
          Interrupt:18

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:83 errors:0 dropped:0 overruns:0 frame:0
          TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7396 (7.2 KiB)  TX bytes:7396 (7.2 KiB)
Logged
npeterson
Full Member
***
Offline Offline

Posts: 90


« Reply #7 on: Thursday 22 October 2009, 07:26:07 am »

I think our communications got Jived. What email service type are you using? POP3? IMAP? SMTP?

SMTP proxy can be enabled on the page Proxy->SMTP->Main You will want enabled checked and transparent on green.

If you are using POP3 or IMAP you will need to make sure the Outgoing firewall rules are enabled. Firewall->Outgoing Traffic-> allow POP, allow POPs, allow IMAP, allow IMAPs.

Looking through your FW rules i would say they are enabled.

ok I think i know whats going on.

Try editing the rule for the mail type, ex POP, change the Source type to Network/IP and place your Network/IP in the source addresses

The rule is currently set to the green interface, and the green interface only has the 192.168.0.0 network  associated with it. So its the only network allowed to send out that service type from that network.
Logged
ges35
Full Member
***
Offline Offline

Posts: 10


« Reply #8 on: Friday 23 October 2009, 12:50:58 am »

Thanks npeterson that, you help.

I use POP and SMTP. This tools is included In menu Proxy both POP and SMTP.
I have tried to customise rules and in the menu the outgoing traffic and System access, tried and nat but most likely it is wrong.
It seems to me that the matter is that efw it is entered in domain and http proxy it is customised on authentication required and efw does not wish to understand PC from a subnet 192.168.1.0/24
Or still the variant in customisations proxy-> http-> configuration-> Allowed Subnets per Zone has added a subnet 192.168.1.0/24 and internet has earned on http.
For POP and SMTP such customisations are not present, probably it is necessary to add through putty, but I do not know how.

Firewall logs:
Oct 22 16:59:11 INPUTFW:ACCEPT:18:l3  br0 KEY_TCP 192.168.1.16 2784 ff:ff:08:00:0c:00 192.168.0.1 25
Oct 22 16:59:23 PROXIES:POP-PROXY:-  br0 KEY_TCP 192.168.1.16 2786 ff:ff:08:00:0c:00 94.100.177.6 110

iptables:
-A PROXIES -i br0 -p tcp -m tcp --dport 110 -m state --state NEW -j NFLOG --nflog-prefix "PROXIES:POP-PROXY:-"
-A PROXIES -i br0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.1:8110
-A PROXIES -i br0 -p tcp -m tcp --dport 995 -m state --state NEW -j NFLOG --nflog-prefix "PROXIES:POP-PROXY:-"
-A PROXIES -i br0 -p tcp -m tcp --dport 995 -j DNAT --to-destination 192.168.0.1:8110
-A PROXIES -i br0 -p tcp -m tcp --dport 25 -m state --state NEW -j NFLOG --nflog-prefix "PROXIES:SMTP-PROXY:-"
-A PROXIES -i br0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.1:25
-A SOURCENAT -o eth2 -j SNAT --to-source 10.10.10.1

You can write customisations or commands?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.109 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com