From: Andrew Beverley <andy@andybev.com>
To: cc <cc@kdtc.net>
Cc: netfilter@vger.kernel.org
Subject: Re: netfilter pecularities
Date: Fri, 25 Mar 2011 18:02:54 +0000 [thread overview]
Message-ID: <1301076174.2891.114.camel@andybev> (raw)
In-Reply-To: <20110325090527.M18530@kdtc.net>
On Fri, 2011-03-25 at 17:05 +0800, cc wrote:
> I have a filter that forwards (via NAT prerouting) SMTP packets
> to my e-mail server behind the firewall. Here are the
> following rules:
>
> $IPT -t nat -A PREROUTING -p tcp -i $INET_IF -d $INET_IP \
> --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP
> $IPT -t nat -A PREROUTING -p tcp -i $DMZ_IF -d $INET_IP \
> --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP
>
> $IPT -t nat -A PREROUTING -p tcp -i $DMZ_IF -d $INET_IP \
> -s $LAN_NET --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP
>
> These rules are the only one that has anything to do with
> SMTP port forwarding and it doesn't include SNAT as it's
> obvious from the rules. If you can bear with me for a bit.
>
> Now theoretically speaking, if I comment out the above lines,
> NONE of the SMTP traffic will be going anywhere, am I correct?
Well it depends if you've got any other routing set up. Are you sure
that the clients are using the firewall's IP address, and not the IP
address of DMZ_EM? If they are using the latter, and you have ip_forward
enabled, then the packets can be forwarded with no involvement of
iptables.
It would be worth changing the target of the above rules to LOG to see
if the packets are matching them.
Andy
next prev parent reply other threads:[~2011-03-25 18:02 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-25 9:05 netfilter pecularities cc
2011-03-25 10:31 ` Pandu Poluan
2011-03-25 10:37 ` Jan Engelhardt
2011-03-25 16:33 ` Pandu Poluan
2011-03-25 18:02 ` Andrew Beverley [this message]
2011-03-26 4:58 ` netfilter pecularities Part 2 cc
-- strict thread matches above, loose matches on Subject: below --
2011-03-25 9:03 netfilter pecularities cc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1301076174.2891.114.camel@andybev \
--to=andy@andybev.com \
--cc=cc@kdtc.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).