Re: iptables NAT entry times out but connects from firewall

To: debian-firewall@lists.debian.org
Cc: Debian Firewall - LIST <debian-firewall@lists.debian.org>
Subject: Re: iptables NAT entry times out but connects from firewall
From: Hanasaki JiJi <hanasaki@hanaden.com>
Date: Tue, 29 Apr 2003 13:38:35 -0500
Message-id: <[🔎] 3EAEC6AB.7070201@hanaden.com>
In-reply-to: <[🔎] 20030429134311.GB4403@ananke.com.br>
References: <[🔎] 3EADF12E.8030308@hanaden.com> <[🔎] 20030429134311.GB4403@ananke.com.br>

versions
	debian sarge
	kernel 2.4.20
	ecn is off = 0

what do you mean "cut" the external nic?

before I send out the the entire ruleset and sysctl -a, anyone care tocomment on the wisdom of doing this?


Thiago Rondon wrote:

We need more things to say something.

But, check if your $NIC_EXTERNAL is correctly. (Try to cut that,
and test).

Are you have another rules ?

Another thing, what version of kernel do you use? At 2.4.20
now tcp_ecn is set to 1, and some smtp servers (linux) have

problems to connect to exchange servers, that dont havesupport to ECN at TCP, and the packages are ignored.


Try to, echo 0 > /proc/sys/net/ipv4/tcp_ecn.

If its doesnt run, please give us, your kernel ip routing table,
all your rules, and a sysctl -a.

-Thiago Rondon

On Mon, Apr 28, 2003 at 10:27:42PM -0500, Hanasaki JiJi wrote:

There is a firewall with two NICs and the below rule to allow an
internal host to connect out to smtp servers on the internet.  Some
hosts have a connection timeout on a connect from $INTERNAL_IP_OF_SMTP
yet connect from the firewall just fine.

iptables -t nat -A POSTROUTING -p tcp -o $NIC_EXTERNAL \
      --dport 25 -s $INTERNAL_IP_OF_SMTP -j MASQUERADE

ex:
on firewall:
	telnet csoc-mail-msfc.csoconline.com 25
	
	above connects ok

on $INTERNAL_IP_OF_SMTP
	telnet csoc-mail-msfc.csoconline.com 25

	connection times out



--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org

with a subject of "unsubscribe". Trouble? Contactlistmaster@lists.debian.org


--
=================================================================
= Management is doing things right; leadership is doing the     =
=       right things.    - Peter Drucker                        =
=_______________________________________________________________=
=     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
=  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
=================================================================

Reply to:

Follow-Ups:
- Re: iptables NAT entry times out but connects from firewall
  - From: Thiago Rondon <thiago@ananke.com.br>

References:
- iptables NAT entry times out but connects from firewall
  - From: Hanasaki JiJi <hanasaki@hanaden.com>
- Re: iptables NAT entry times out but connects from firewall
  - From: Thiago Rondon <thiago@ananke.com.br>

Prev by Date: Re: port forward with the ipmasq package and Iptables
Next by Date: Re: port forward with the ipmasq package and Iptables
Previous by thread: Re: iptables NAT entry times out but connects from firewall
Next by thread: Re: iptables NAT entry times out but connects from firewall
Index(es):
- Date
- Thread