Firewall for second gateway, without NAT? How?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi

I need help with setting up OpenWrt (18.06.2) with a special setup. I managed to get working what I needed but my network now is far too exposed as it would be acceptable.

I've set up my own mail server, which leads to the need to get the external ip known for incoming connections and to communicate to the outside with the static public ip of my gateway. As I didn't get a static public Ip at home, I've set up n VPS in Chicago.

<external ip>   VPS   <wg0  ---------------------  wg1 >   OpenWrt    <zone mail>    <mail server> 
XX.XX.XX.X6             192.168.47.71    192.168.47.1                192.168.48.1    192.168.48.30 + 31

The VPS is forwarding anything coming in from external on port 25,465 to 192.168.48.31, without SNAT, just with DNAT to get the correct routing.

* filter 

# Keep all established connections
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic
-A OUTPUT -j ACCEPT

# Allow all inbout and forward from wg0
-A INPUT -i wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT

# Open TCP ports for forwarding of mail
# smtp
-A FORWARD -i eth0 -o wg0 -p tcp --syn -m multiport --dports 25,465 -m conntrack --ctstate NEW -j ACCEPT

# Drop all other incoming/forward traffic
-A INPUT -j REJECT
-A FORWARD -j DROP

*nat

-A POSTROUTING -o eth0 -j MASQUERADE

# routing for mail 
# smtp
-A PREROUTING -i eth0 -p tcp -m multiport --dports 25,465 -j DNAT --to-destination 192.168.48.31
#-A POSTROUTING -d 192.168.48.31 -o wg0 -p tcp -m multiport --dports 25,465,587 -j SNAT --to-source 192.168.47.71

To get the direction back, I've set up the mail server with a second ip (192.168.48.31) which is used for any outgoing smtp communication. To get this to the correct gateway, I've added on the OpenWrt

ip route add default via 192.168.47.71 dev wg1 table 210
ip rule add from 192.168.48.31 lookup 210 prio 210

This works fine, as long as I expose the mail zone fully on my OpenWrt. At the moment, it's this:

grafik
grafik.png747×105 6.94 KB

I now want to activate the firewall on the mail zone so that I have control over what's allowed incoming from Chicago and block everything else. Something like this:

grafik
grafik.png724×120 7.22 KB

With only opening or forwarding ports 25,465 to the mail server at 192.168.48.31 on the OpenWrt. But still with having the external IP as source and with outgoing communication from 192.168.48.31 via the Chicago gateway.

How do I achieve this with OpenWrt?

Basically it's clear what needs to be done on the OpenWrt:
the routing as described above
allow all related, established from wg1 to 192.168.48.31
allow new from wg1 with port 25,465 to 192.168.48.31
allow all from 192.168.48.31 to wg1
No NAT, but possibly conntrack?

If I want to do it with forwards
the routing as described above
allow all related, established from wg1
allow new from wg1 with port 25,465 to router forward to 192.168.48.31 (DNAT, no SNAT)
allow all from 192.168.48.31 to wg1
No NAT, but possibly conntrack?

Anything missing? I may test it with iptables rules on the custom rules tab. But ain't there way to do it with UCI or LuCi options?

Any help welcome. Thank you

2

You sent my head spinning trying to keep track of all the tunneling and IP-address changes!

Edit: I'm very puzzled as to why you added a second IP address for the same host, even more so that it is on the same subnet. That suggests to me that you've got some basic routing-configuration problems that need top be resolved even before considering firewall rules.

I'm not sure just where you've run into problems, but it seems that you're concerned that your mail server has to accept incoming connections from any host on the Internet. This is true for port 25 as you don't know from which MTA an incoming connection will come. If I've understood your topology and concenr correctly, that isn't something you can change.

I'm guessing your ISP blocks connections on port 25. You might consider an alternate approach that lets you restrict access to your "inside" mail host in your home/office by:

  • Installing postfix on your VPS as a mail relay
    • Incoming mail forwarded to your "inside" mail server on the submission port (or other alternate)
    • Your internal mail host authenticated to relay via submission port
    • dovecot for authentication of relay via submission port for "your" clients, stationary or mobile
  • Setting your internal to relay all non-local traffic via your VPS on submission port

Now the only MTA your inside ever talks to is the one on your VPS. You've buffered it from open access with an instance that doesn't have any of your mail on it (except for the brief time it is queued) should it be compromised. It also gives an additional benefit that it will hold that mail for you in the case your "local" server loses connectivity or has other issues.

1 Like
3

Hi Jeff.

Thanks for the reply. But

the issue is: my setup is working. I'm just concerned about the zone forward from chicago to mail as this (afaik) leaves the mail zone wide open to the tunnel from chicago.

At the moment I get connections from chicago and reveive email. Incoming connection come with the original source ip and postfix can check this (spf, ..).
Outgoing connections are made on the .31 ip by postfix and this is routed to chicago and inti the internet with the chicago ip so other mta can check my ip (spf, etc ..)
The .31 interface is indeed not accessable from inside my network as all of its traffic is routed to chicago be the rule in OpenWrt.
To connect with imap and internal submission, I use the .30 interface which is accessable inside the network.
This all works well.

At the moment when I try to remove the zone forward from chicago to mail and try to replace it with something to be called a firewall filter (just allowing incoming connection from chicago on port 25, 465) the connections don't work anymore.
I tried port forwards and traffic rule ... I might get is working with plain iptables rules in the custom rules tab but

  • I'd like to prefer OpenWrt UI or Luci (as this is the way the system should be used?) and
  • I'm unsure how this manual rules affect the OpenWrt firewall where I don't want any risk.

Any suggestion?

-A INPUT -i chicago1 -o mail -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i chicago -o mail -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i chicago -o mail -p tcp --syn -m multiport --dports 25,465 -m conntrack --ctstate NEW -j ACCEPT

plus the routing stuff as described above should do it. I'm unsure if there is a better solution on OpenWrt.

btw: I use the chicago gateway as my isp is unable to provide a static public ip at a reasonable price and ipv6 not at all. I also use it for accessing N****** in USA. :wink: