Interesting iptables
The below two sets of rules seem to provide the same functionality, with
the excpetion that the second ruleset results in a timeout from the
192.168.1.2 timing out on connections to some, only some, external hosts
on port 25. What could cause this? How can it be fixed? What is the
difference between the two approaches?
kernel = 2.4.20
firewall = 192.168.1.1
firewall ruleset1
==========
$PROG -t nat -A POSTROUTING -p tcp -o $NIC_EXTERNAL \
--dport 25 -s 192.168.1.2 -j MASQUERADE
firewall ruleset2
==========
$PROG -t nat -A POSTROUTING -p tcp \
-o $NIC_EXTERNAL \
--dport smtp -s 192.168.1.2 \
-j SNAT --to-source $IP:25
$PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \
-s 0/0 --dport smtp \
-j DNAT --to-destination 192.168.1.2:25
$PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \
-o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -t mangle -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \
-o $NIC_EXTERNAL -d 0/0 -p tcp \
-m state --state ESTABLISHED,RELATED -j ACCEPT
--
=================================================================
= Management is doing things right; leadership is doing the =
= right things. - Peter Drucker =
=_______________________________________________________________=
= http://www.sun.com/service/sunps/jdc/javacenter.pdf =
= www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone =
=================================================================
Reply to: