This one is really confusing me... I am running IPTables to configure my firewall, telling it to ALLOW incoming traffic on eth1 from anywhere to port 25. The way the firewall is set up, it says to allow connections that are RELATED or ESTABLISHED, before going the following rules. One of the following rules says to allow connections that are NEW if they are destined for port 25. At the bottom of my firewall rules, I have an entry that rejects all traffic that has failed to pass all other checks. Right before that entry, I have an entry that logs the packet that was rejected. What I am seeing is traffic that is coming in from a machine as a NEW connection, and is being allowed in. During the SMTP transaction (and this only happens sometimes - usually when Postfix has rejected the connection for failing some sanity check) Postfix might reject a connection, and then shortly after, I see a log entry from the firewall for a connection from port 25, but it failed to pass the previous checks, and so it rejects it. My guess is that the state of the packet is not being considered as RELATED, ESTABLISHED, or NEW... but from the packet, I'm not sure if there is a way to determine which state the packet is in. Is there a way to tell the reason for rejection or the state of a packet from the log entry that IPTables generates? Here is an example of a log entry that I saw. AFTER valid traffic accepted, an SMTP session was setup, and postfix rejected the mail with an error code, I saw this message in my log: Apr 10 06:40:29 master kernel: IN=eth1 OUT=MAC=00:50:ba:49:d8:aa:00:20:78:db:4f:3f:08:00 SRC=220.117.112.56 DST=192.168.158.1 LEN=40 TOS=0x00 PREC=0x00 TTL=108 ID=54733 PROTO=TCP SPT=3705 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 Here are the log entries from Postfix, so you can see that before the IPTables log entry above, traffic was accepted and an SMTP conversation took place. At 06:40:28, postfix rejected the mail with a 554 message because of an invalid Helo entry. Then it shows that the connection was lost after RCPT, and then the other machine disconnected. Log entries from maillog are listed below: Apr 10 06:39:03 master postfix/smtpd[15051]: connect from unknown [220.117.112.56] Apr 10 06:40:28 master postfix/smtpd[15051]: NOQUEUE: reject: RCPT from unknown[220.117.112.56]: 554 <216.61.158.201>: Helo command rejected: You are not 214.161.58.101; from=<vvhyhncokwe@xxxxxxxxxxxxxxxxxxx> to=<bruce@xxxxxxxxxxx> proto=SMTP helo=<214.161.58.101> Apr 10 06:40:28 master postfix/smtpd[15051]: lost connection after RCPT from unknown[220.117.112.56] Apr 10 06:40:28 master postfix/smtpd[15051]: disconnect from unknown [220.117.112.56] Any help would be appreciated. If necessary, I can send the complete firewall rules. -- David Registered Linux User 383030 (since everyone else was doing it 8-) ----------------------------------------------------------------------- There are only 10 kinds of people in this world, those who understand binary, and those who don't.
