[root@maya root]# tcpdump -i eth1 | grep
host91-92.pool82186.interbusiness.it
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:31:41.895811 IP bella.dei.unipd.it.52242 >
host91-92.pool82186.interbusiness.it.smtp: S 891791967:891791967(0) win 24820 <nop,nop,sackOK,mss 1460>
11:31:45.257887 IP bella.dei.unipd.it.52242 >
host91-92.pool82186.interbusiness.it.smtp: S 891791967:891791967(0) win 24820 <nop,nop,sackOK,mss 1460>
11:31:52.006557 IP bella.dei.unipd.it.52242 >
host91-92.pool82186.interbusiness.it.smtp: S 891791967:891791967(0) win 24820 <nop,nop,sackOK,mss 1460>
OK, let's to a little test. Instead of trying to make it work all at once, let start building rules from the beginning, and get simple stuff working first. Flush all firewall rules you have, and do something simple as this:
# Flush all old stuff iptables -F iptables -X chains=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $chains; do iptables -t $i -F; done for i in $chains; do iptables -t $i -X; done
After doing this, do "iptables -L" and make sure that all chains in nat and mangle tables have default policy set to ACCEPT (it wouldn't be good if for example your POSTROUTING chain in nat table is set to drop packets by default).
# Simple config for testing
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type ping -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -d 82.186.92.92 --dport 25 -m state --state NEW -j ACCEPT
After this, iptables -L should show that all chains in filter table are set to DROP packets by default, and all chains in nat and mangle tables are set to ACCEPT packets by default. It should also show only above 5 rules in filter table (3 in INPUT chain, and 1 rule in OUTPUT and FORWARD chains), and no rules in nat and mangle tables.
Make sure that output of iptables -L matches what is described above. If it doesn't match, you have remains of old configuration still loaded, and you need to get rid of it somehow. You may also use iptables-save and check that its output matches exactly the commands you typed above, and that only chains in filter table have default policy set to DROP.
From another machine, try to ping 82.186.92.92 and to ssh into it. If it works, you had an error somewhere in your rules.
If it doesn't work, try adding this three logging rules *after* the above set of rules:
iptables -A INPUT -j LOG --log-prefix="INPUT " iptables -A OUTPUT -j LOG --log-prefix="OUTPUT " iptables -A FORWARD -j LOG --log-prefix="FORWARD "
This should log all dropped packets (since you will be adding this rules at the end, just before packets are dropped). The log will contain all information about the dropped packets (interface they were dropped from, in which chain, and all other interesting data).
Thinking of all this, another thing come to my mind. Your network configuration. If you have more than one interface connected to the same "wire" (say eth0 and eth1 connected to the same hub), Linux kernel does not need to send response packets that arrive to address configured on eth1 back to eth1. It might as well just use eth0. Been burned by that once (although in different context).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
