From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Stanislav Puffler DiS." Subject: still =?ISO-8859-1?Q?can=B4t_FORWARD_tcp_on_25_port_?= =?ISO-8859-1?Q?to_another_destination=2E=2E=2E?= Date: Fri, 12 Mar 2004 15:56:24 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <4051CF98.1020008@seznam.cz> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: Netfilter Mailing List Hallo, I can=B4t still FORWARD any incoming tcp packets (port 25) from Internet=20 coming to my external interface eth0 (82.142.67.253) to destination in=20 my network (192.168.200.2). Here is my complete ruleset from=20 iptables-save. I am 2 days without any idea or success :( Could anyone=20 help please ? # Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004 *nat :PREROUTING ACCEPT [342:36496] :POSTROUTING ACCEPT [42:3408] :OUTPUT ACCEPT [66:5557] -A PREROUTING -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP -A PREROUTING -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP -A PREROUTING -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination=20 192.168.200.2:25 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Fri Mar 12 14:53:44 2004 # Generated by iptables-save v1.2.6a on Fri Mar 12 14:53:44 2004 *filter :INPUT DROP [83:8337] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :spoofing - [0:0] :syn_flood - [0:0] :tcp_segmenty - [0:0] :udp_pakety - [0:0] -A INPUT -i eth0 -p tcp -j tcp_segmenty -A INPUT -i eth0 -p udp -j udp_pakety -A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 113 -j REJECT --reject-with=20 icmp-port-unreachable -A INPUT -i eth0 -j spoofing -A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn_flood -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT -s 80.95.96.7 -i eth0 -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -i eth2 -j ACCEPT -A INPUT -i lo -j ACCEPT -A FORWARD -i eth1 -j ACCEPT -A FORWARD -i eth2 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth1 -j ACCEPT -A FORWARD -i eth0 -j spoofing -A FORWARD -d 192.168.200.2 -i eth0 -p tcp -m tcp --dport 25 -m state=20 --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -s 127.0.0.1 -j ACCEPT -A OUTPUT -s 192.168.0.1 -j ACCEPT -A OUTPUT -s 192.168.200.1 -j ACCEPT -A OUTPUT -s 82.142.67.253 -j ACCEPT -A spoofing -s 192.168.0.0/255.255.0.0 -j DROP -A spoofing -s 172.16.0.0/255.240.0.0 -j DROP -A spoofing -s 10.0.0.0/255.0.0.0 -j DROP -A syn_flood -m limit --limit 1/sec -j RETURN -A syn_flood -j DROP -A tcp_segmenty -p tcp -m tcp --dport 25 -j ACCEPT -A tcp_segmenty -p tcp -m tcp --dport 80 -j ACCEPT -A udp_pakety -p udp -m udp --dport 53 -j ACCEPT COMMIT # Completed on Fri Mar 12 14:53:44 2004 Thanks in advance, Stanislav Puffler.