On Wednesday 10 April 2002 9:57 am, Raimund E. A. Eimann wrote: > Hi, > > I read this on the netfilter ml & I'm interested in exactly this, too. > > > I would have it more likely you would want to have a FORWARDing rule > > which allows packets to --dport 25 and --dport 110, and then the > > POSTROUTING rule is used to MASQUERADE everything allowed out of the > > machine (which, if the FORWARD chain has a default policy of DROP, will > > only be POP3 and SMTP packets). > > is it right that I only need two entries in the FORWARD chain then?: > > iptables -A FORWARD -p tcp --dport 110 -o ppp0 -j ACCEPT > iptables -A FORWARD -p tcp --dport 25 -o ppp0 -j ACCEPT > > My MASQUERADING & FORWARD chains then look like this > > zeus:/usr/local/httpd/htdocs # iptables -L FORWARD > Chain FORWARD (policy DROP) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 > ACCEPT tcp -- anywhere anywhere tcp dpt:smtp > > zeus:/usr/local/httpd/htdocs # iptables -t nat -L POSTROUTING > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- anywhere anywhere > > If I telnet from a machine in the network into a pop3 server that listens > on port 110, I don't get any response... if I do the same thing from the > firewall box the server responds properly...
You also need a rule in the FORWARD chain to allow the responses back through the box - the rules you've got will allow the request to port 110 on some remote server, but won't let the response packets back in again. Try: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT (By the way, the reverse address translation is handled automatically for you, so you don't need to add any mirror-image rules to the NAT tables for that.) Antony.
