From: Magnus Bäck (no email)
Date: Sat Nov 01 2003 - 09:59:06 EST
On Sat, Nov 01, 2003 at 04:39:27AM -0800,
kk ii <> wrote:
> > Configure your firewall so that it doesn't proxy the connections or
> > source-NAT them. Your current setup will e.g. also defeat all RBL
> > lookups.
>
> I think that's where my problem is. We just set up our office, and
> used an old PC as our outer firewall (Linux iptables).
> I had so much problem making port fowarding work in iptables, so at
> the end, I just installed a little proxy program.
That's not a good problem-solving method.
> If you don't mind sharing some tips on making port forwarding work on
> iptables, I'd really appreciate it.
Isn't that information part of just about every howto about iptables?
Anyway, the following template works:
$IPTABLES -A PREROUTING -t nat -p tcp -i $IF_EXTERNAL \
--dst $IP_EXTERNAL --dport $PORT \
-j DNAT --to $IP_INTERNAL:$PORT
$IPTABLES -A FORWARD -p tcp -i $IF_EXTERNAL --dst $IP_INTERNAL \
--dport $PORT -j ACCEPT
> > > And I also added the smtpd_sender_restrictions as well.
> >
> > That's pointless.
>
> Ok, I kinda see that after some more testing, but could you explain a
> little bit?
Sender restrictions describe what gets checked after MAIL FROM is
received, unless smtpd_delay_reject = yes, and recipient restrictions
describe what gets checked after RCPT TO. When smtpd_delay_reject is
yes, any rejection (except from data restrictions) will take place after
RCPT TO.
Bottom line: Put all restrictions in smtpd_recipient_restrictions. It
makes it a lot easier to understand the order of the restrictions
therein (and order is very important).
-- Magnus Bäck
|
|
|