On Wednesday 03 July 2002 4:57 pm, "J�rgen" Danielsson wrote: > This is part of the rules > > $PROG -t nat -A PREROUTING -p tcp -d ooo.ooo.*17.*54 > --dport 25 -j DNAT --to iii.iii.iii.*15:25
Any packets coming in to ooo.oo.*17.*54 TCP port 25 get destination translated to iii.iii.iii.*15 port 25. > $PROG -A FORWARD -p tcp -d iii.iii.iii.*15 --dport 25 > -j ACCEPT Any packets for iii.iii.iii.*15 TCP port 25 are allowed through. > $PROG -A INPUT -p tcp --destination ooo.ooo.*17.*54 > --destination-port 25 -j ACCEPT I don't think you want this rule - you're not running a mail server on the Firewall, are you ? > both ooo.ooo.ooo.ooo and iii.iii.iii.iii is real class > c-net (even though iii.iii.iii.iii is being masqed), > which mean no net is a 192.168.0.0/255.255.0.0 or > 10.0.0.0/255.0.0.0 or 172.16.0.0/255.255.255.0 This means that ooo.ooo.ooo.ooo is routable across the Internet (and will get translated by your DNAT rule and sent on the iii.iii.iii.iii), and also iii.iii.iii.iii is routable across the Internet, so when it arrives at the Firewall it will simply get forwarded through to the server with that address. > The problem: > > Telnet from the outside to ooo.ooo.*17.*54 : 25 does > what its supposed to do, i get a reply from a smtp > server. But then i noticed that iii.iii.iii.*15 : 25 > gives the same reply. How come ? Hopefully the above explains why ? > No other ip on the > iii.iii.iii.iii net is reachable. Is the forward rule > opening for access directly to the masqed ip ? and how > do i stop that ? Why do you want to stop it ? If the mail server is accessible from the outside (as ooo.ooo.*17.*54), then why are you bothered about it also being accessible as iii.iii.iii.*15 ? No-one can do any more damage to it on one IP than the other, so there's no loss of security here. If you don't want its real IP address to be accessible from the outside, why have you given it a routable IP address at all, instead of a private 10.0.0.0, 172.16.0.0 or 192.168.0.0 address ? Antony.
