* Hanasaki JiJi (hanasaki@hanaden.com) [030419 08:40]: > The below two sets of rules seem to provide the same functionality, with > the excpetion that the second ruleset results in a timeout from the > 192.168.1.2 timing out on connections to some, only some, external hosts > on port 25. What could cause this? How can it be fixed? What is the > difference between the two approaches? Even before looking at the rules, I'd say the answer is ident on port 113. You're probably DROPping the inbound ident request, so the other side tries a few resends before it times out. Many recommend REJECTing at least inbound tcp port 113; personally, I prefer to REJECT all unwanted inbound tcp traffic with a TCP RST, and all unwanted inbound UDP packets with an icmp-port-unreach. (... and all other protocols with icmp-proto-unreach.) It just seems like the sane thing to do, to me, but others have their own preferences. > > kernel = 2.4.20 > firewall = 192.168.1.1 > > firewall ruleset1 > ========== > $PROG -t nat -A POSTROUTING -p tcp -o $NIC_EXTERNAL \ > --dport 25 -s 192.168.1.2 -j MASQUERADE What, that's it? What are your chain policies? I believe the default is all ACCEPTs, so this must be what you're using. So in this case, the inbound tcp/113 request is accepted. If you're not running an ident server, your hose immediately send sback an RST, and the other host continues, allowing you to use its SMTP service while noting that you're not running ident. (If you are running ident, the ident requets completes, and the other host notes the response in its logs and allows you to continue your smtp transaction.) > > firewall ruleset2 > ========== > $PROG -t nat -A POSTROUTING -p tcp \ > -o $NIC_EXTERNAL \ > --dport smtp -s 192.168.1.2 \ > -j SNAT --to-source $IP:25 Well here you're changing the source port to 25. Is that what you want? > > $PROG -t nat -A PREROUTING -i $NIC_EXTERNAL -p tcp \ > -s 0/0 --dport smtp \ > -j DNAT --to-destination 192.168.1.2:25 > $PROG -t mangle -A FORWARD -i $NIC_EXTERNAL -s 0/0 \ > -o $NIC_INTERNAL -d 192.168.1.2 -p tcp --dport smtp \ > -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT > $PROG -t mangle -A FORWARD -i $NIC_INTERNAL -s 192.168.1.2 \ > -o $NIC_EXTERNAL -d 0/0 -p tcp \ > -m state --state ESTABLISHED,RELATED -j ACCEPT Hmm. Again, no policies defined. And why is this using the mangle table? What does your filter table look like? I'd say that these rules alone also allow the inbound ident request, but that you must have some filtering in place that is DROPping it, and that's why you see the delay. SMTP delays on connect are almost always because of this. good times, Vineet -- http://www.doorstop.net/ -- --Nick Moffitt A: No. Q: Should I include quotations after my reply?
Attachment:
pgp8jUxFnROu8.pgp
Description: PGP signature