Re: iptables NAT entry times out but connects from firewall

To: Hanasaki JiJi <hanasaki@hanaden.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables NAT entry times out but connects from firewall
From: Thiago Rondon <thiago@ananke.com.br>
Date: Tue, 29 Apr 2003 22:16:07 -0300
Message-id: <[🔎] 20030430011607.GE5592@ananke.com.br>
In-reply-to: <[🔎] 3EAEC6AB.7070201@hanaden.com>
References: <[🔎] 3EADF12E.8030308@hanaden.com> <[🔎] 20030429134311.GB4403@ananke.com.br> <[🔎] 3EAEC6AB.7070201@hanaden.com>

iptables -t nat -A POSTROUTING -p tcp \
      --dport 25 -s $INTERNAL_IP_OF_SMTP -j MASQUERADE


On Tue, Apr 29, 2003 at 01:38:35PM -0500, Hanasaki JiJi wrote:
> versions
> 	debian sarge
> 	kernel 2.4.20
> 	ecn is off = 0
> 
> what do you mean "cut" the external nic?
> 
> before I send out the the entire ruleset and sysctl -a, anyone care to 
> comment on the wisdom of doing this?
> 
> Thiago Rondon wrote:
> >We need more things to say something.
> >
> >But, check if your $NIC_EXTERNAL is correctly. (Try to cut that,
> >and test).
> >
> >Are you have another rules ?
> >
> >Another thing, what version of kernel do you use? At 2.4.20
> >now tcp_ecn is set to 1, and some smtp servers (linux) have
> >problems to connect to exchange servers, that dont have 
> >support to ECN at TCP, and the packages are ignored.
> >
> >Try to, echo 0 > /proc/sys/net/ipv4/tcp_ecn.
> >
> >If its doesnt run, please give us, your kernel ip routing table,
> >all your rules, and a sysctl -a.
> >
> >-Thiago Rondon
> >
> >On Mon, Apr 28, 2003 at 10:27:42PM -0500, Hanasaki JiJi wrote:
> >
> >>There is a firewall with two NICs and the below rule to allow an
> >>internal host to connect out to smtp servers on the internet.  Some
> >>hosts have a connection timeout on a connect from $INTERNAL_IP_OF_SMTP
> >>yet connect from the firewall just fine.
> >>
> >>iptables -t nat -A POSTROUTING -p tcp -o $NIC_EXTERNAL \
> >>      --dport 25 -s $INTERNAL_IP_OF_SMTP -j MASQUERADE
> >>
> >>ex:
> >>on firewall:
> >>	telnet csoc-mail-msfc.csoconline.com 25
> >>	
> >>	above connects ok
> >>
> >>on $INTERNAL_IP_OF_SMTP
> >>	telnet csoc-mail-msfc.csoconline.com 25
> >>
> >>	connection times out
> >>
> >>
> >>
> >>-- 
> >>To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> >>with a subject of "unsubscribe". Trouble? Contact 
> >>listmaster@lists.debian.org
> >
> >
> >
> 
> -- 
> =================================================================
> = Management is doing things right; leadership is doing the     =
> =       right things.    - Peter Drucker                        =
> =_______________________________________________________________=
> =     http://www.sun.com/service/sunps/jdc/javacenter.pdf       =
> =  www.sun.com | www.javasoft.com | http://wwws.sun.com/sunone  =
> =================================================================
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org

Reply to:

References:
- iptables NAT entry times out but connects from firewall
  - From: Hanasaki JiJi <hanasaki@hanaden.com>
- Re: iptables NAT entry times out but connects from firewall
  - From: Thiago Rondon <thiago@ananke.com.br>
- Re: iptables NAT entry times out but connects from firewall
  - From: Hanasaki JiJi <hanasaki@hanaden.com>

Prev by Date: Re: port forward with the ipmasq package and Iptables
Next by Date: Problems with iptables configuration
Previous by thread: Re: iptables NAT entry times out but connects from firewall
Next by thread: firewalls books
Index(es):
- Date
- Thread