On Wednesday 10 April 2002 22:04, you wrote: > On Wednesday 10 April 2002 9:57 am, Raimund E. A. Eimann wrote: > > Hi, > > > > I read this on the netfilter ml & I'm interested in exactly this, too. > > > > > I would have it more likely you would want to have a FORWARDing rule > > > which allows packets to --dport 25 and --dport 110, and then the > > > POSTROUTING rule is used to MASQUERADE everything allowed out of the > > > machine (which, if the FORWARD chain has a default policy of DROP, will > > > only be POP3 and SMTP packets). > > > > is it right that I only need two entries in the FORWARD chain then?: > > > > iptables -A FORWARD -p tcp --dport 110 -o ppp0 -j ACCEPT > > iptables -A FORWARD -p tcp --dport 25 -o ppp0 -j ACCEPT > > > > My MASQUERADING & FORWARD chains then look like this > > > > zeus:/usr/local/httpd/htdocs # iptables -L FORWARD > > Chain FORWARD (policy DROP) > > target prot opt source destination > > ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 > > ACCEPT tcp -- anywhere anywhere tcp dpt:smtp > > > > zeus:/usr/local/httpd/htdocs # iptables -t nat -L POSTROUTING > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > MASQUERADE all -- anywhere anywhere > > > > If I telnet from a machine in the network into a pop3 server that listens > > on port 110, I don't get any response... if I do the same thing from the > > firewall box the server responds properly... > > You also need a rule in the FORWARD chain to allow the responses back > through the box - the rules you've got will allow the request to port 110 > on some remote server, but won't let the response packets back in again. > > Try: > > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Thanks, unfortunately still no success. Might there be something fundamental going wrong? What would be the simplest (and probably most insecure) ruleset? I could try to use that and work my way back step by step to a secure system. Cheers, Raimund
