On Wednesday 08 January 2003 04:32 am, oarojo@intermediacorp.com wrote: > Yes I'm using telnet from other network... Please snip unrelated material out of a digest message when replying - the other six messages had nothing to do with this... A single-line response with over 450 quoted lines is a big waste, especially since you didn't sign the response making it appear that there might be more you had added further on in the quoted part. Also, you don't answer the first question I posed, or the one another helpful participant offered. You said you have a mail server behind your firewall and are trying to DNAT connections to it from the internet. You listed two DNAT rules (which appeared correct) and two FORWARD rules to let the traffic reach the mail server. (which also appeared correct) Since you don't offer much detail apart from this about the setup, we asked if you have a rule allowing the return traffic back through the FORWARD chain, and whether you have forwarding enabled with: echo "1" > /proc/sys/net/ipv4/ip_forward At least that's what I believe the other reply meant. He actually asked "Did you turn on Masquerading?", but MASQUERADE in iptables syntax is a form of SNAT, while Masquerade in general is simply NAT used to hide multiple machines, neither of which has any direct bearing on DNAT to a mailserver, so I'm making a guess as to what the question really intended. Finally, you said you try telnetting to the IP, port 25, and get no response. Is there a service running on the mailserver that is properly configured to respond to a telnet connection to port 25 from the internet? If this is the only DNAT you are attempting so far, you might be better served trying it to port 80 with apache running on 192.168.0.5, until you confirm that your DNAT and FORWARD rules and everything else are working as expected, THEN change over to port 25/110 with mail server (sendmail?) running and that way any failure at that last step is then very likely a problem with mail configuration, rather than firewall DNAT and forwarding. j > > Do you have a FORWARD rule to allow return traffic back out? You > > don't=20 mention one, so I have to ask. Something like this would > > work, if no=20 other more general rule allows it: > > > > iptables -A FORWARD -p tcp -o eth0 -s 192.168.0.5 -m multiport \ > > --sport 25,110 -j ACCEPT > > > > Are you trying to telnet from outside the network? If you are > > trying to=20 do it from the firewall box or from anywhere on the > > 192.168 network it=20 will fail unless you have other rules to help > > 'guide' the traffic back=20 through the firewall. (of course the > > rules you list are presumably for=20 traffice from outside...) See > > Oskar's tutorial's DNAT info at: > > http://iptables-tutorial.frozentux.net/chunkyhtml/targets.html#DNATT > >ARGET where he explains the problem and the solution, if you need to > > allow=20 access from the local network or firewall.
