Greeting All: I have what I think is a simple firewall configuration. All our hosts reside on the internal side of our network and we punch holes to allow access to servers that provide internet-based content (i.e. Web servers, e-mail servers, and Database server). For some reason my firewall was working fine until a reboot and now none of the DNAT is working. The most important thing is that the e-mail server is not receiving mail, it sends just fine. Also no one can access squirrel mail, again works fine internally. Here is my configuration any help is appreciated. Thanks in advance IPTABLES Gurus. ------------------------------------------------------ # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *raw :PREROUTING ACCEPT [69187:15784837] :OUTPUT ACCEPT [46891:5730774] COMMIT # Completed on Sat Apr 8 02:03:03 2006 # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *nat :PREROUTING ACCEPT [6384:872118] :POSTROUTING ACCEPT [156:10133] :OUTPUT ACCEPT [1681:126170] -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 25 -j DNAT --to-destination 192.168.150.20 -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 110 -j DNAT --to-destination 192.168.150.20 -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 143 -j DNAT --to-destination 192.168.150.20 -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp --sport 1024:65535 --dport 80 -j DNAT --to-destination 192.168.150.200 -A POSTROUTING -o lo -j ACCEPT -A POSTROUTING -o eth1 -j MASQUERADE -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT # Completed on Sat Apr 8 02:03:03 2006 # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *mangle :PREROUTING ACCEPT [69187:15784837] :INPUT ACCEPT [48202:5793791] :FORWARD ACCEPT [18360:9358860] :OUTPUT ACCEPT [46891:5730774] :POSTROUTING ACCEPT [65251:15089634] COMMIT # Completed on Sat Apr 8 02:03:03 2006 # Generated by iptables-save v1.3.4 on Sat Apr 8 02:03:03 2006 *filter :INPUT ACCEPT [5310:385325] :FORWARD ACCEPT [2955:564452] :OUTPUT ACCEPT [43086:5176570] :openvpn - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i tun+ -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -s 220.193.98.15 -j DROP -A INPUT -s 82.127.9.42 -j DROP -A INPUT -s 82.226.217.40 -j DROP -A INPUT -s 207.212.29.73 -j DROP -A INPUT -s 213.154.72.195 -j DROP -A INPUT -s 221.169.125.102 -j DROP -A INPUT -s 218.202.223.238 -j DROP -A INPUT -s 213.175.92.222 -j DROP -A INPUT -s 210.228.173.152 -j DROP -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP -A INPUT -s 210.0.0.0/255.0.0.0 -j DROP -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP -A FORWARD -i tun0 -j openvpn -A FORWARD -i eth0 -j ACCEPT -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 110 -m state --state NEW -j ACCEPT -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 143 -m state --state NEW -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT COMMIT __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
