I have since opted to not use SNAT or MASQUERADE, but to only allow access to the net via a proxy.
Good (IMHO).
My firewall script also contains these rules to log any packets that reach the end of the chain:
[snip]
# log any packets that reach the end $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL: " $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD INTERNAL: " $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT INTERNAL: " $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: " $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ: " $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: " $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: " $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD INET: " $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET: "
You may want to add additional logging rules with no qualifiers but the chain names themselves, as a final safety net, sort of.
Any ideas?
Is the DNS lookup of mail.knowledgefactory.co.za successful?
Yes, it resolves to and tries to contact 196.38.2.132
See my other mail on other points of interest. Can you see its attempts to contact 196.38.2.132 when tcpdumping on the different interfaces of the firewall?
I don't want to setup pop3 and smtp proxies on my firewall ...
You should consider setting those up in your DMZ, though, really.
The proxy or the servers (smtp, pop3)?
Heh heh, the (get this) proxy servers. :-) Cheers, Tobias