Hi, I read this on the netfilter ml & I'm interested in exactly this, too.
> However, are you *sure* this is what you want to do ? > > I would have it more likely you would want to have a FORWARDing rule which > allows packets to --dport 25 and --dport 110, and then the POSTROUTING rule > is used to MASQUERADE everything allowed out of the machine (which, if the > FORWARD chain has a default policy of DROP, will only be POP3 and SMTP > packets). > > It just seems an odd way to do it, to only MASQUERADE certain packets, > without stopping any others from actually going out of the machine > unMASQUERADEd...? is it right that I only need two entries in the FORWARD chain then?: something like iptables -A FORWARD -p tcp --dport 110 -o ppp0 -j ACCEPT iptables -A FORWARD -p tcp --dport 25 -o ppp0 -j ACCEPT ??? My MASQUERADING & FORWARD chains then look like this zeus:/usr/local/httpd/htdocs # iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp zeus:/usr/local/httpd/htdocs # iptables -t nat -L POSTROUTING Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere If I telnet from a machine in the network into a pop3 server that listens on port 110, I don't get any response... if I do the same thing from the firewall box the server responds properly... I would very thankful for any hints (the users are about to strangle me) Cheers, Raimund
