On Fri, Mar 25, 2011 at 16:05, cc <cc@xxxxxxxx> wrote: > Hi, > > I have a netfilter-based firewall running and recently its behaviour > has been very puzzling (to the point of suspicious). ÂHowever, this > can also be attributed to user-error. > > Please correct me if I'm wrong here. > > I have a filter that forwards (via NAT prerouting) SMTP packets > to my e-mail server behind the firewall. ÂHere are the > following rules: > > $IPT -t nat -A PREROUTING -p tcp -i $INET_IF -d $INET_IP \ > Â Â Â Â Â --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP > $IPT -t nat -A PREROUTING -p tcp -i $DMZ_IF -d $INET_IP \ > Â Â Â Â Â --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP > > $IPT -t nat -A PREROUTING -p tcp -i $DMZ_IF -d $INET_IP \ > Â Â Â Â Â Â-s $LAN_NET --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP > > These rules are the only one that has anything to do with > SMTP port forwarding and it doesn't include SNAT as it's > obvious from the rules. ÂIf you can bear with me for a bit. > > Now theoretically speaking, if I comment out the above lines, > NONE of the SMTP traffic will be going anywhere, am I correct? > SMTP traffic from LAN to DMZ should not be affected. > My setup is this. ÂIt's a 2.4.x based netfilter firewall. > (distribution is Slackware). > > Now here's where I need a bit of clarification and/or > explanation. ÂWhat happens is the following. > > If I comment out the aforementioned rules, Âthe SMTP traffic > still finds its way to the DMZ_EM machine. Â(I'm a bit stumped here.) > > If I reset the firewall by flushing the rules, the SMTP traffic > still finds its way to the DMZ_EM machine. > >From INET or from LAN? > When I run iptables, is it supposed to 'insmod' ip_tables, etc > to the modules list? ÂEven if it's compiled into the kernel? > I don't think so. IMO if the modules are compiled into the kernel, iptables will not load them. But I'm not a developer, though. I *could* be wrong. > Any clarifications appreciated. > > Ed > Rgds, -- Pandu E Poluan ~ IT Optimizer ~ Visit my Blog: http://pepoluan.posterous.com -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
