Hi Davis, Are the packet counters on any of the NAT rules incrementing? Try running: watch -d -n 1 iptables -L -vnt nat Then try making connections to the webserver from outside your network. You should see the packet counters increasing when you make the connection. Also, it doesn't look like you are dropping packets anywhere in your firewall (other than those INPUT rules). Usually, you set the filter::INPUT and FORWARD policies to DROP and use rules in those chains to allow traffic that meets your security requirements. Set policies with the command: iptables -P INPUT DROP iptables -P FORWARD DROP Don't make this change yet! Figure out the DNAT problem first. If the counters aren't increasing, try inserting a more generic rule like: iptables -t nat -A PREROUTING -d 1.1.1.25 (Notice no -j TARGET, its just a packet counting rule) If that matches, make it more complex: iptables -t nat -A PREROUTING -d 1.1.1.25 -p tcp --dport 25 And so on... Good Luck! Matt On 4/24/06, Davis Sylvester <dsylvesteriii@xxxxxxxxx> wrote: > Greeting All: > > I have what I think is a simple firewall > configuration. All our hosts reside on the internal > side of our network and we punch holes to allow access > to servers that provide internet-based content (i.e. > Web servers, e-mail servers, and Database server). > > For some reason my firewall was working fine until a > reboot and now none of the DNAT is working. The most > important thing is that the e-mail server is not > receiving mail, it sends just fine. Also no one can > access squirrel mail, again works fine internally. > > Here is my configuration any help is appreciated. > Thanks in advance IPTABLES Gurus. > > ------------------------------------------------------ > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *raw > :PREROUTING ACCEPT [69187:15784837] > :OUTPUT ACCEPT [46891:5730774] > COMMIT > # Completed on Sat Apr 8 02:03:03 2006 > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *nat > :PREROUTING ACCEPT [6384:872118] > :POSTROUTING ACCEPT [156:10133] > :OUTPUT ACCEPT [1681:126170] > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 25 -j DNAT --to-destination > 192.168.150.20 > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 110 -j DNAT > --to-destination 192.168.150.20 > -A PREROUTING -d 1.1.1.25 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 143 -j DNAT > --to-destination 192.168.150.20 > -A PREROUTING -d 1.1.1.200 -i eth1 -p tcp -m tcp > --sport 1024:65535 --dport 80 -j DNAT --to-destination > 192.168.150.200 > -A POSTROUTING -o lo -j ACCEPT > -A POSTROUTING -o eth1 -j MASQUERADE > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o eth0 -j ACCEPT > COMMIT > # Completed on Sat Apr 8 02:03:03 2006 > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *mangle > :PREROUTING ACCEPT [69187:15784837] > :INPUT ACCEPT [48202:5793791] > :FORWARD ACCEPT [18360:9358860] > :OUTPUT ACCEPT [46891:5730774] > :POSTROUTING ACCEPT [65251:15089634] > COMMIT > # Completed on Sat Apr 8 02:03:03 2006 > # Generated by iptables-save v1.3.4 on Sat Apr 8 > 02:03:03 2006 > *filter > :INPUT ACCEPT [5310:385325] > :FORWARD ACCEPT [2955:564452] > :OUTPUT ACCEPT [43086:5176570] > :openvpn - [0:0] > -A INPUT -i lo -j ACCEPT > -A INPUT -i tun+ -j ACCEPT > -A INPUT -m state --state RELATED,ESTABLISHED -j > ACCEPT > -A INPUT -i eth0 -j ACCEPT > -A INPUT -s 220.193.98.15 -j DROP > -A INPUT -s 82.127.9.42 -j DROP > -A INPUT -s 82.226.217.40 -j DROP > -A INPUT -s 207.212.29.73 -j DROP > -A INPUT -s 213.154.72.195 -j DROP > -A INPUT -s 221.169.125.102 -j DROP > -A INPUT -s 218.202.223.238 -j DROP > -A INPUT -s 213.175.92.222 -j DROP > -A INPUT -s 210.228.173.152 -j DROP > -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 220.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 221.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 210.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 211.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP > -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP > -A FORWARD -i tun0 -j openvpn > -A FORWARD -i eth0 -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 25 -m state --state NEW > -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 110 -m state --state > NEW -j ACCEPT > -A FORWARD -d 192.168.150.20 -i eth1 -o eth0 -p tcp -m > tcp --sport 1024:65535 --dport 143 -m state --state > NEW -j ACCEPT > -A FORWARD -i eth0 -o eth1 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth1 -o eth0 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -d 192.168.150.200 -i eth1 -o eth0 -p tcp > -m tcp --sport 1024:65535 --dport 80 -m state --state > NEW -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -o eth0 -j ACCEPT > COMMIT > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam > protection around > http://mail.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > >
