firewalld port-forward packet mangling

Issues related to configuring your network
Post Reply
erik-777
Posts: 9
Joined: 2009/08/20 03:26:32
Contact:

firewalld port-forward packet mangling

Post by erik-777 » 2019/04/27 14:47:15

Due to a crash, I had to quickly replace a Centos 4 router using IP tables and Firewall Builder with Centos 7 to route all incoming traffic to public IPs to internal servers. My current issue is with routing to a Postfix server, which was running fine before changing the router. The new variable is Firewalld, which I've been trying to use to restore the same forwarding functionality.

Unfortunately, it has resulted in new errors in the Postfix maillog cause all incoming emails to be discarded at key points, primarily forwarding to other servers such as gmail for Inbox.

Based on these new errors, I suspect one key difference is that the source IP is being mangled, so that Postfix sees it as coming from the router instead of the external sender. Is there a way to configure how forward-port mangles the source IP and other parameters in forwarding? I could find very little documentation online on forwarding options and issues, with options being very limited.

In postfix, these are the new errors that didn't show up before, with last one resulting in the email being discarded:

Code: Select all

Apr 26 20:57:21 serverhostname postfix/smtp[3706]: warning: host mta5.am0.yahoodns.net[98.136.102.54]:25 greeted me with my own hostname mail.mydomain.net
Apr 26 20:57:21 serverhostname postfix/smtp[3706]: warning: host mta5.am0.yahoodns.net[98.136.102.54]:25 replied to HELO/EHLO with my own hostname mail.mydomain.net
Apr 26 20:57:21 serverhostname postfix/smtp[3706]: 687D81E68137: to=<yahoouser@yahoo.com>, orig_to=<e_github@incomingdomain.net>, relay=mta5.am0.yahoodns.net[98.136.102.54]:25, delay=30, delays=0/0/30/0, dsn=5.4.6, status=bounced (mail for yahoo.com loops back to myself)
Note that the Postfix configuration didn't change. It is a VM that should be running as-is without modification. The only difference is this new Centos 7 router between it and the Internet.

User avatar
TrevorH
Forum Moderator
Posts: 26291
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewalld port-forward packet mangling

Post by TrevorH » 2019/04/27 15:28:39

You can easily disable and remove firewalld and replace it with iptables and iptables-services and use the same method that worked on el4 (which has only been dead for 10 years!).
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

erik-777
Posts: 9
Joined: 2009/08/20 03:26:32
Contact:

Re: firewalld port-forward packet mangling

Post by erik-777 » 2019/04/27 16:13:45

I fixed it! I was trying to avoid going back because the devs of Firewall Builder have left the project for a startup. I have to admit, that tool made IP Tables sane.

Here is what I learned:

1. You only need masquerade enabled on the external zone, so internal computers can reach the Internet. You do not need masquerade enabled on the external/public zone even if port forwarding from public to private. Having it enabled is what caused the mangling of the source IP so that Postfix only saw the router's IP instead of the public source of the packets, causing my core issue. It is confusing because everything you read suggests you need it enabled to forward ports.

2. I had a general forward of port 25 on the router. This created an issue when it finally tried sending the email out to the next destination. Turns out, it was never talking to Google or others when it tried to send it, but instead was just talking to itself. This wasn't obvious because it showed the host and IP of Google's MX server, and the bounce message didn't say who it was from. It deleted the email on this bounce.

Also, now that I tested using the "destination address" of rich rules, and it works with forward-port, preventing issues such as #2. Ultimately, I need this for other things I have to configure next, because this router handles a subnet of public IPs. In other words, there are many port 80 destinations for different websites that this router will handle based on the incoming public destination IP. Creating that rule looks like this:

Code: Select all

firewall-cmd --permanent --zone=external --add-rich-rule='rule family=ipv4 destination address=PUBLIC_IP forward-port port=25 protocol=tcp to-port=25 to-addr=INTERNAL_IP'

Post Reply