On Monday 28 June 2004 1:20 pm, Gunnar Frödin wrote:
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 6 360 ACCEPT tcp -- eth0 eth1 0.0.0.0/0
> 192.168.0.100 tcp dpt:25 state NEW,RELATED,ESTABLISHED
Okay, so we *are* seeing packets to the mail server being forwarded through
the firewall.
> 0 0 ACCEPT tcp -- eth1 eth0 192.168.0.100
> 0.0.0.0/0 tcp spt:25 state NEW,RELATED,ESTABLISHED
But we are not seeing any replies coming back.
> Chain PREROUTING (policy ACCEPT 20 packets, 2796 bytes)
> pkts bytes target prot opt in out source
> destination
> 1 60 DNAT tcp -- * * 0.0.0.0/0
> 10.20.30.40 tcp dpt:25 to:192.168.0.100:25
And, indeed, the DNAT is working (not surprising, since we saw forwarded
packets).
> I tryed to telnet in, witch times-out after 6 attempts
The 6 packets we can see in the FORWARD rule above :)
Okay, three more questions:
1. Is a mail server running on 192.168.0.100 (!) ? Can you telnet to it on
the real 192.168.0.100 address from a local client?
2. Are there any access controls on the mail server, restricting the IPs from
which it will accept connections?
3. Does the default route of the mail server point back to the firewall?
Regards,
Antony
--
Software development can be quick, high quality, or low cost.
The customer gets to pick any two out of three.
Please reply to the list;
please don't CC me.
