Ray, sorry for having been a little harsh in my other mail, I see you've set up some rules yourself already.
These are the rules I have to get mail to work (or not work) ...
# Masquerade internal networks $IPTABLES -t nat -A POSTROUTING -o $IFACE_INT -s $NET_INT -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o $IFACE_DMZ -s $NET_DMZ -j MASQUERADE
Hmm, I don't use the MASQUERADE target, but rather -j SNAT --to <new source address>. Have you tried that? You do know that you're allowing access to everything on the Internet with these rules (if you couple them with corresponding rules from the other chains).
#### allow smtp and pop3 # allow internet pop3 to mail server - reverse masq $IP_INET_MAIL:110 to $IP_INT_MAIL:110 $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 110 -j DNAT --to-destination $IP_INT_MAIL $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 110 -d $NET_DMZ -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --sport 110 -d $NET_INT -j ACCEPT $IPTABLES -A INPUT -i $IFACE_DMZ -p tcp --dport 113 -d $IP_INET -j ACCEPT $IPTABLES -A OUTPUT -o $IFACE_DMZ -p tcp --sport 113 -d $IP_INT_MAIL -j ACCEPT # allow internet smtp to mail server - reverse masq $IP_INET_MAIL:25 to $IP_INT_MAIL:25 $IPTABLES -t nat -A PREROUTING -i $IFACE_INT -p tcp -d $IP_INET_MAIL --dport 25 -j DNAT --to-destination $IP_INT_MAIL $IPTABLES -A FORWARD -i $IFACE_INT -p tcp --dport 25 -d $NET_DMZ -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_DMZ -p tcp --dport 25 -j ACCEPT
This is the problem :
Mail gets delivered to the mail server from the client. The client is configured to send mail to $IP_INET_MAIL. So this means that the reverse masq (DNAT) is working.
The mail server (on $IP_INT_MAIL) tries to contact another mail server (mail.knowledgefactory.co.za) and times out with an entry in the mail log file in /var/log/mail saying "Timeout contacting mail.knowledgefactory.co.za."
There are no dropped packets on the firewall.
My firewall script also contains these rules to log any packets that reach the end of the chain:
# drop MS broadcasts $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 137 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -i $IFACE_INT -p udp --dport 138 -d $BCAST_INT -j DROP $IPTABLES -A INPUT -p udp -s 0.0.0.0/32 -j DROP $IPTABLES -A INPUT -p udp -d 255.255.255.255/32 -j DROP
# log any packets that reach the end $IPTABLES -A INPUT -i $IFACE_INT -j LOG --log-prefix "DROP INPUT INTERNAL: " $IPTABLES -A FORWARD -i $IFACE_INT -j LOG --log-prefix "DROP FORWARD INTERNAL: " $IPTABLES -A OUTPUT -o $IFACE_INT -j LOG --log-prefix "DROP OUTPUT INTERNAL: " $IPTABLES -A INPUT -i $IFACE_DMZ -j LOG --log-prefix "DROP INPUT DMZ: " $IPTABLES -A FORWARD -i $IFACE_DMZ -j LOG --log-prefix "DROP FORWARD DMZ: " $IPTABLES -A OUTPUT -o $IFACE_DMZ -j LOG --log-prefix "DROP OUTPUT DMZ: " $IPTABLES -A INPUT -i $IFACE_INET -j LOG --log-prefix "DROP INPUT INET: " $IPTABLES -A FORWARD -i $IFACE_INET -j LOG --log-prefix "DROP FORWARD INET: " $IPTABLES -A OUTPUT -o $IFACE_INET -j LOG --log-prefix "DROP OUTPUT INET: "
Any ideas?
Is the DNS lookup of mail.knowledgefactory.co.za successful?
I don't want to setup pop3 and smtp proxies on my firewall ...
You should consider setting those up in your DMZ, though, really. Cheers, Tobias