Le dim 07/09/2003 Ã 14:15, ÐÐÐÐÐÐÐÑ ÐÐÑÐÐÐÐ a Ãcrit :
> DNS worked ok.Thank you.
> But my mail server only can send message from local to the internet,
> but don't accepting any mail from internet.
[...]
> -A PREROUTING -d 121.1.1.1 -i eth0 -p tcp -j DNAT --to-destination
> 192.168.5.2
> -A PREROUTING -d 121.1.1.1 -i eth0 -p udp -j DNAT --to-destination
> 192.168.5.2
> -A POSTROUTING -o eth0 -j SNAT --to-source 121.1.1.1
> -A allow -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A allow -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A allow -p tcp -j LOG
> -A allow -p tcp -j DROP
> -A FORWARD -d 192.168.5.2 -i eth0 -o eth1 -p tcp -m tcp --dport 25 -j
> allow
> -A FORWARD -s 192.168.5.2 -i eth1 -o eth0 -p tcp -m tcp --dport 25 -j
> allow
Because you do exactly the same mistake than before. You do not have a
rule to accept returning packets for STMP connections, both way, as they
are not destined to TCP port 25, but sourced from this port.
As I mentionned before, you _really_ should get rid of this "allow"
chain and have everything handled with a generic ESTABLISHED,RELATED
state matching at ruleset top :
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -d 192.168.5.2 -i eth0 -o eth1 -m state \
--state NEW -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A FORWARD -s 192.168.5.2 -i eth1 -o eth0 -m state \
--state NEW -p tcp -m tcp --dport 25 --syn -j ACCEPT
> In log I see that other mail server want to connect to me at sport 25.
> But it's not correct.
You should copy the log entry so one can show you what's wrong with it.
PS : please keep Cc to the list as every thread can be useful for other
people with similar issues (i.e. reply all).
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
