Linux firewall and mail server

[mirco73]

Hi everybody !
I've installed a linux box with 2 ethernets and configured it to work as a firewall and a mail server (QMAIL).
I've noticed that when the router doesn't work or is turned off I can't access qmail(SMTP and POP whith a telnet or whith a mail client) neither the Xserver from a windows client. If I turn on the router everything works fine...
any idea to make it work always ? (For example I'd like to send mail to my local network also if the router is down).

 

[Norwich]

Hi,

You'll need to give us more details. What is the 'router'? What interfaces is it connected to? How does the firewall relate to the mail server and internal networks.

As an asside, it's normally considered bad policy to put anything on a boundary firewall other than the firewall and proxy software - especially a complete mail server. Similarly a complete X server implementation.

 

[RhythmAce]

It's not really that simple. You could connect everything to a passive hub, then connect the hub to the router. This would not help you with the e-mail issue however because you wouldn't have access to the dns servers for routing the mail. You would have to run a dns server for your local network (bind). I'd suggest not turning off the router.

 

[mirco73]

I've made some tests and have understood that the main problem is the routing.
The default routing is the Cisco router connected to one of the two ethernet devices.
My network is connected to the other one.
When the router is down (somentimes it happens) if a client try to connect to the pop or smtp server it takes a lot to work.
I suppose this happens because of the default route.
My question is: is there a way to tell Linux to try to route FIRST on itself and AFTER on the gateway ?

 

[Norwich]

Saying "try to route FIRST on itself and AFTER on the gateway" isn't quite right. A route is to a specific destination - so to route to itself will give no other option than to reference itself and not the gateway. Something else is up here...

Also, an IP address is assigned to an interface and not a host so it may be that you are refering to the linux box with the IP address of the gateway-side NIC (external) and not the LAN side NIC (internal). If this is the case, then the route will go "through" the linux box from the internal NIC to the external NIC - which could be unobtainable if the router is off.


Have you made sure your reference to the linux box from inside resolves to the internal IP address and not teh external one?

You acn use the "traceroute" command to follow the route to the destination to see if routing is the problem

 

[mirco73]

Actually traceroute says that there are no problems. But the strange fact is that when I make a telnet to Linux and the router is on it takes half a second to connect, but if the router is off it takes many seconds.

 

[Morsing]

That because it can't access your DNS.

You need to set up a local DNS server.

Cheers Henrik Morsing
Certified AIX 4.3 Systems Administration
& p690 Technical Support

 

[Norwich]

Yes - it sounds like a DNS reverse lookup problem - the telnet server trying to resolve your IP address against a name - after a while it times out and either moves on to the next resolutin method or gives up.

To test, edit the linux boxes /etc/hosts file and add an entry for the client machine's name and IP address (assuming it's static). As name resolution normally uses hosts before DNS, this should confirm if it is DNS. Saves having to install a caching DNS namer server just to confirm the problem.

Note: the actual name resolution order is normally defined in the file /etc/nsswitch.conf - look for the 'hosts:' line.

 

[mirco73]

when I make a telnet to my Linux Box I use the IP address
and not the name:

telnet 192.168.0.10

or

telnet 192.168.0.10 25
telnet 192.168.0.10 110

(if I want to connect to the mail server)

 

[SevenFiftySeven]

Can you please Cut and Paste the Box's routing
example:
[root@archive root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.68.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.68.100.2 0.0.0.0 UG 0 0 0 eth0

Also are you running DNS? Is your "hosts" file configured correctly? What flavor Linux are you running? Sorry for the questions than answers .. but the solutions are long without more detail.

 

[mirco73]

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.254 0.0.0.0 UG 0 0 0 eth0

my /etc/hosts file is simply:

127.0.0.1 mydomainname.com localhost

now I'm runnig a DNS and it works properly, and my Linux box is a RH 8.0

 

[Norwich]

"when I make a telnet to my Linux Box I use the IP address
and not the name"

I didn't say it was a dns lookup problem, I said it was a reverse lookup problem. The tcp wrappers controlling connections to the inetd spawned daemons will try to ascertan the client NAME from the client IP address by using a DNS reverse lookup if no hosts file lookup works. If it doesn't get a reply from the DNS server it'll wait until a timeout. It'll then go onto another name resolution method or give up and connect anyway.

Do a google search for "reverse lookup dns and delay" to see what I mean - or see:

http://www.linuxgazette.com/issue38/tag/32.html