On Monday 20 June 2005 12:20, terry l. ridder wrote:
> > Yikes, this is very long. First, I see that you're doing all your
> > filtering in nat, PREROUTING and POSTROUTING. Why?
>
> because that is the way i know that works.
Again I doubt you know exactly what it is doing. For instance in your
lonely filter table, FORWARD rules there are 3 rules which do nothing
at all ... ACCEPT targets, when the policy is ACCEPT. (They do packet
counting which is limited by the "limit" module, so even the packet
counters are meaningless.)
> it has worked fine for many years.
Luck.
> it was not until i upgraded the
> firewall machine (new computer with debian sarge) that iptables
> began to leak.
>
> > I prefer to do filtering in the filter table as $DEITY intended. :)
For me that is more or less a matter of faith. I hope someone who knows
more about it will come along and explain why your NAT use is poor
design. In the meantime I bet a few external nmap's of your IP would
give you some unpleasant surprises.
> <major sniip>
>
> one of the reasons for using table nat is to dnat all ip addresses
> with destination port 25 (smtp) to the mail server, 204.238.34.206.
I'd do that with a single DNAT rule, have a single SNAT rule to let the
internal mail server out, and do my filtering in filter / FORWARD. It
also seems odd that you are using NAT at all, since the mail server
already has a real Internet IP. I only use NAT with RFC 1918 addresses.
> connection tracking is turned off since at one time i was
> using tarpit instead of just dropping the connections.
Whatever. Without connection tracking you might as well use ipchains.
> i have added logging on both the firewall box, 204.238.34.232, and
> the mail server, 204.238.34.206. both boxes will be logging the
> leaks.
Please do followup with the results; I will be interested to see what
packets are getting through.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
