On Fri, 2011-03-25 at 17:05 +0800, cc wrote: > I have a filter that forwards (via NAT prerouting) SMTP packets > to my e-mail server behind the firewall. Here are the > following rules: > > $IPT -t nat -A PREROUTING -p tcp -i $INET_IF -d $INET_IP \ > --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP > $IPT -t nat -A PREROUTING -p tcp -i $DMZ_IF -d $INET_IP \ > --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP > > $IPT -t nat -A PREROUTING -p tcp -i $DMZ_IF -d $INET_IP \ > -s $LAN_NET --dport $SMTP -j DNAT --to $DMZ_EM:$SMTP > > These rules are the only one that has anything to do with > SMTP port forwarding and it doesn't include SNAT as it's > obvious from the rules. If you can bear with me for a bit. > > Now theoretically speaking, if I comment out the above lines, > NONE of the SMTP traffic will be going anywhere, am I correct? Well it depends if you've got any other routing set up. Are you sure that the clients are using the firewall's IP address, and not the IP address of DMZ_EM? If they are using the latter, and you have ip_forward enabled, then the packets can be forwarded with no involvement of iptables. It would be worth changing the target of the above rules to LOG to see if the packets are matching them. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html