Outgoing SMTP Mystery

["Michael Hudin" <hudin@zoetrope.com>]

[-- Attachment #1: Type: text/plain, Size: 2823 bytes --]

Okay, so I've gotten everything running fine in my tables as far as HTTP, SSH and POP go, but I'm having a problem with SMTP (I have a qmail server).  I can send SMTP out just fine, but no other server can send it in for some reason.  It would appear in the logs that it is forwarding fine, but it is still not allowing connections on port 25.  My setup is Public Interface: eth0 - 10.10.10.254 Private Interface eth1 - 192.168.77.1  My firewall also serves as a gateway for the private LAN and a VPN server running FreeSWAN.  The MX records are set up to point at 10.10.10.252 as the mail server and as you can see below, that is indeed forwarding (or at least it should be).  I've always assumed that the numbers in the brackets were port allowances and that may be my problem, but if they were, I wouldn't be able to get to SSH and HTTP. Also, if anyone has any security suggestions, since I just cobbled this together to get it working, they wouldn't fall on deaf ears.

Here are my tables:

*nat
:PREROUTING ACCEPT [241:88600]
:POSTROUTING ACCEPT [0:9862]
:OUTPUT ACCEPT [68:4275]
-A PREROUTING -d 10.10.10.252 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.252 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.251 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.250 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.77.2
-A PREROUTING -d 10.10.10.250 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.77.2
-A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.254
-A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.254
COMMIT

*mangle
:PREROUTING ACCEPT [18365:3221456]
:INPUT ACCEPT [10886:760348]
:FORWARD ACCEPT [7269:2438049]
:OUTPUT ACCEPT [8009:752540]
:POSTROUTING ACCEPT [15177:3182145]
COMMIT

*filter
:INPUT ACCEPT [0:229546]
:FORWARD ACCEPT [363:1553786]
:OUTPUT ACCEPT [2:619341]
-A INPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -p tcp -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 110 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 25 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
-A OUTPUT -p ah -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT





Michael Hudin
Sentinel Systems Support
www.zoetrope.com

[-- Attachment #2: Type: text/html, Size: 3962 bytes --]