Re: firewall rules for NAT

2017-07-01 Thread Igor Cicimov
On 1 Jul 2017 7:31 pm, "Pascal Hambourg" wrote: Le 01/07/2017 à 03:25, Igor Cicimov a écrit : > > You know what, i just checked the iptables rules the op sent again and > realized this: > > -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp > > --dport 25 -j SNAT --to-source

Re: firewall rules for NAT

2017-07-01 Thread Brad Rogers
On Sat, 1 Jul 2017 13:25:30 +0200 Pascal Hambourg wrote: Hello Pascal, >Are you sure that your mailer displays the plain text version, not the >HTML version ? I'll change my answer; I only looked at a couple of Igor's messages and they were fine. However, further study shows that in some pos

Re: firewall rules for NAT

2017-07-01 Thread Brad Rogers
On Sat, 1 Jul 2017 13:25:30 +0200 Pascal Hambourg wrote: Hello Pascal, >Are you sure that your mailer displays the plain text version, not the >HTML version ? Positive. I use Claws Mail *without* any HTML plugin. -- Regards _ / ) "The blindingly obvious is / _)r

Re: firewall rules for NAT

2017-07-01 Thread Pascal Hambourg
Le 01/07/2017 à 12:54, Brad Rogers a écrit : On Sat, 1 Jul 2017 11:30:41 +0200 Pascal Hambourg wrote: Hello Pascal, PS. Igor, the plain text version of your posts does not properly mark the quoted text from the message you reply to : it appears as if it was your text, without any quotation ma

Re: firewall rules for NAT

2017-07-01 Thread Brad Rogers
On Sat, 1 Jul 2017 11:30:41 +0200 Pascal Hambourg wrote: Hello Pascal, >PS. Igor, the plain text version of your posts does not properly mark >the quoted text from the message you reply to : it appears as if it was >your text, without any quotation marks. It's fine here. -- Regards _

Re: firewall rules for NAT

2017-07-01 Thread Pascal Hambourg
Le 01/07/2017 à 03:25, Igor Cicimov a écrit : You know what, i just checked the iptables rules the op sent again and realized this: -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 is NOT how you would do SNAT with DNAT, you norm

Re: firewall rules for NAT

2017-06-30 Thread Igor Cicimov
On 1 Jul 2017 7:13 am, "Pascal Hambourg" wrote: Le 30/06/2017 à 15:09, Igor Cicimov a écrit : > On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg > wrote: > >> >> Stateful NAT requires symmetric routing, i.e. reply packets go through the >> router that did the NAT operations on original packets

Re: firewall rules for NAT

2017-06-30 Thread Pascal Hambourg
Le 30/06/2017 à 15:09, Igor Cicimov a écrit : On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg wrote: Stateful NAT requires symmetric routing, i.e. reply packets go through the router that did the NAT operations on original packets and keeps the state for these NAT operations. With the host a

Re: firewall rules for NAT

2017-06-30 Thread Igor Cicimov
On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg wrote: > Le 30/06/2017 à 00:38, Igor Cicimov a écrit : > >> On 29 Jun 2017 6:32 pm, "Lucio Crusca" wrote: >> >>> >>> Il 27/06/2017 23:35, Pascal Hambourg ha scritto: >>> >>> Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d

Re: firewall rules for NAT

2017-06-29 Thread Pascal Hambourg
Le 30/06/2017 à 00:38, Igor Cicimov a écrit : On 29 Jun 2017 6:32 pm, "Lucio Crusca" wrote: Il 27/06/2017 23:35, Pascal Hambourg ha scritto: Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 If this rul

Re: firewall rules for NAT

2017-06-29 Thread Igor Cicimov
On 29 Jun 2017 6:32 pm, "Lucio Crusca" wrote: Il 27/06/2017 23:35, Pascal Hambourg ha scritto: > Le 27/06/2017 à 13:29, Lucio Crusca a écrit : > >> >> -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT >> --to-source 10.7.33.100 >> >> > If this rule is required, then your routing

Re: firewall rules for NAT

2017-06-29 Thread Lucio Crusca
Il 27/06/2017 23:35, Pascal Hambourg ha scritto: Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 If this rule is required, then your routing setup is wrong. Thank you very much, that was the problem. My

Re: firewall rules for NAT

2017-06-28 Thread Igor Cicimov
On 27 Jun 2017 9:29 pm, "Lucio Crusca" wrote: Il 26/06/2017 11:35, Dan Purgert ha scritto: > That shouldn't be happening -- you may have an errant rule you didn't > show > I think I did show that rule: -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100

Re: firewall rules for NAT

2017-06-27 Thread Pascal Hambourg
Le 27/06/2017 à 13:29, Lucio Crusca a écrit : -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 The problem is that without that rule things do not work at all (connections time out). If this rule is required, then your routing setup is wrong. What is t

Re: firewall rules for NAT

2017-06-27 Thread Lucio Crusca
Il 26/06/2017 11:35, Dan Purgert ha scritto: That shouldn't be happening -- you may have an errant rule you didn't show I think I did show that rule: -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT --to-source 10.7.33.100 The problem is that without that rule things do not

Re: firewall rules for NAT

2017-06-26 Thread Dan Purgert
Lucio Crusca wrote: >[...] > It works like a charm, but there is one problem: my mail server receives > all the connections from the router, which has its own private IP > address (10.7.33.100), so the mail server can't enforce SPF policies nor > DNS RBL rules on incoming mail connections. That