On May 5, 2004 12:58 am, Fritz Mesedilla wrote:
> > These look fine as they are, however you will need a rule to
> > allow the reply
> > packets, and perhaps one to SNAT your Internet-bound packets
> > if you are using
> > private addresses on your network.
>
> Oh... How do I do that? Can you give me a sample rule?
>
> > Questions:
> > 1. Can clients access anything by IP address rather than hostname?
> > 2. Do any other services work, such as web browsing (assuming
> > you have rules
> > to allow other servies)?
>
> Clients cannot access anything except web browsing through the Squid proxy.
>
> > Suggestions:
> > 1. Describe your network setup to us.
> > 2. Show us all your netfilter rules.
>
> We have public ips on the outside while we have private ips on the inside
> doing nat through iptables and not through the router as we do not have
> control of the router.
>
> For example,
>
> 202.78.90.166 <-> iptables <-> 192.168.247.11
> 202.78.90.166 <-> iptables <-> 192.168.247.12
>
> For web browsing I have squid proxy. So normally, clients do not have to
> resolve domain names as squid proxy does it for them. Now I need to allow
> clients to resolve domain names to be able to retrieve pop3 from their
> other mail servers.
>
> Thanks again!
>
Looking at your included ruleset I don't see any NAT of the (already) allowed
DNS and POP3 requests -- You have forward rules that will allow the DNS
requests out the forward chain, but you are only MASQUERADING the port 80
requests.
Try adding a duplicate of the MASQUERADE rule to TCP and UDP port 53.
If the pop3 is in the routable internet space, you need to MASQUERADE
that as well.
Alistair
>
<much snippage for Brevity >
