"Reckhard, Tobias" wrote:
Ray,
sorry for having been a little harsh in my other mail, I see you've set up some rules yourself already.
No problem.
These are the rules I have to get mail to work (or not work) ...
# Masquerade internal networks $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
Hmm, I don't use the MASQUERADE target, but rather -j SNAT --to <new source address>. Have you tried that?
I have since opted to not use SNAT or MASQUERADE, but to only allow access to the net via a proxy.
You do know that you're allowing access to everything on the Internet with these rules (if you couple them with corresponding rules from the other chains).
My default chain policy is set to drop. If I don't have INPUT,FORWARD and OUTPUT rules then nobody can do anything from the DMZ or internal networks.
#### allow smtp and pop3
<snip><snip>
This is the problem :
Mail gets delivered to the mail server from the client. The client is configured to send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is working.
The mail server (on $IP_INT_MAIL) tries to contact another mail server (mail.knowledgefactory.co.za) and times out with an entry in the mail log file in /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
There are no dropped packets on the firewall.
My firewall script also contains these rules to log any packets that reach the end of the chain:
# drop MS broadcasts $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
# log any packets that reach the end $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL: " $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD INTERNAL: " $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT INTERNAL: " $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: " $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ: " $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: " $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: " $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD INET: " $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET: "
<snip><snip>
Any ideas?
Is the DNS lookup of mail.knowledgefactory.co.za successful?
Yes, it resolves to and tries to contact 196.38.2.132
I don't want to setup pop3 and smtp proxies on my firewall ...
You should consider setting those up in your DMZ, though, really.
The proxy or the servers (smtp, pop3)?
Cheers, Tobias
Ray -- ---------------------------------------------------------------------- Raymond Leach Cell:+27-82-416-1410 Tel:+27-11-444-5006 Fax:+27-11-444-5007 eMail:raymondl@knowledgefactory.co.za www:http://www.knowledgefactory.co.za "No matter where you go, there you are ..." ----------------------------------------------------------------------