On Fri, Oct 31, 2003 at 07:13:44PM -0200, Paulo Ricardo Bruck wrote: > > > > > > c) iptables -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.1.1 > > > > > > > > > What happens: > > > > > > - all desktops ( M$windows) access webmail and email w/ no problems, but > > > if I insert rule c) above it causes a delay when any desktop hit > > > get/post e-mail in Outlook and it takes +- 40 seconds to "connenct". > > > > Let me not ask you why you have rule (c). > c) I insert because we have in DMZ a IIS and as far as I known I could > protect it putting PREROUTING rules.... who knows??? If someone invade > IIS at least I'll be protecting LAN changing their IP ....80) And changing their IP to 192.168.1.1 protects you, how? > > But in general a long delay > > is most of the time related to a faulty or non-existent reverse DNS. > > But in case of SMTP it also might have something to do with ident > > being dropped... > maybe it can help: > iptables -N AUTH > iptables -A FORWARD -d $LAN -p tcp --dport 113 -j AUTH > iptables -A FORWARD -d $REDEDMZ -p tcp --dport 113 -j AUTH > iptables -A AUTH -j REJECT -p tcp --reject-with tcp-reset > > As you can see I'm rejecting ident.... Is that the problem ?? Try tcpdump and see what is happening. I'm not sure but some of the --reject-with options didn't do their job correctly (AFAICR). Ramin
