iptables trouble

[Luke]

Hi All,

Trying to get my firewall to route smtp to an internal mail server.


10.0(eth1) 192.168.x.x (external eth0)
| |
| |
---------------------
|
Network
|
10.0.x.x Mail server

iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

/etc/sysctrl net.ipv4.ip_forward= 1

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
10.0.x.x:25

The above allows all clients to share the internet connection + mail is
forwarded to the mail server 10.0.x.x

However no mail can be sent. Unless i drop the DNAT rule set. Everything
else is set to ACCEPT. So there must be some sort of loop happening.

I have tried lots of different FORWARD & OUTPUT rules but none that have
worked as yet. Has anyone an idea of a rule that will route mail out or a
better syntax for my DNAT rule that will not cause outgoing to queue.

Regards,

Luke

[Wolfgang Fischer]

On Wed, 03 Sep 2003 19:21:18 +0100, Luke wrote:

> Hi All,
>
> Trying to get my firewall to route smtp to an internal mail server.
>
>
> 10.0(eth1) 192.168.x.x (external eth0)
> | |
> | |
> ---------------------
> |
> Network
> |
> 10.0.x.x Mail server
>
> iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
>
> /etc/sysctrl net.ipv4.ip_forward= 1
>
> iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
> 10.0.x.x:25

This rule belongs to OUTPUT, not to PREROUTING. As -i isn't possible in
OUTPUT, you have to use -s (source address) instead.

>
> The above allows all clients to share the internet connection + mail is
> forwarded to the mail server 10.0.x.x
>
> However no mail can be sent. Unless i drop the DNAT rule set. Everything
> else is set to ACCEPT. So there must be some sort of loop happening.
>
> I have tried lots of different FORWARD & OUTPUT rules but none that have
> worked as yet. Has anyone an idea of a rule that will route mail out or a
> better syntax for my DNAT rule that will not cause outgoing to queue.
>
> Regards,
>
> Luke