Help with port forwarding

Help with port forwarding

[Kleiner, Peter]

Greetings,

I have two PCs that, software-wise are reasonably identical.  Both are 
RH9.0 with iptables 1.2.7a.

I have a script to set the rules for masquerading and port forwarding.
The script is identical, except that the internal address range is
different.

My problem is that port forwarding works on one PC and not the other.  I've
spent many hours trying to figure out what is wrong to no avail.  I was
wondering what other factors will affect iptables.

Anyway, here is the info on the the two PCs, which I'll call PC1 and PC2.
PC1 is the working one and PC2 is the non-working one.  Both PCs have
eth0 as internal and eth1 as external interfaces.

I've put the info that I thought was relevant here:
http://www.smbmicro.com/~kleinerp/iptables.txt

Please let me know if you require anything else.

Thanks in advance!!!
Pete

RE: Help with port forwarding

[Mark E. Donaldson]

Peter - I don't see anything obvious in the script that could be
problematic.  What do you mean by "port forwarding not working"? Are you
getting any error messages?  Is translation being performed but the packets
are not routed?  I might be able to generate some ideas here if you can be
more specific.  By the way, I believe you are meaning to block the Auth
protocol (port 113):  that being the case, you need to specify TCP and not
UDP.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Kleiner, Peter
Sent: Wednesday, October 22, 2003 9:41 AM
To: 'netfilter@lists.netfilter.org'
Subject: Help with port forwarding


Greetings,

I have two PCs that, software-wise are reasonably identical.  Both are
RH9.0 with iptables 1.2.7a.

I have a script to set the rules for masquerading and port forwarding.
The script is identical, except that the internal address range is
different.

My problem is that port forwarding works on one PC and not the other.  I've
spent many hours trying to figure out what is wrong to no avail.  I was
wondering what other factors will affect iptables.

Anyway, here is the info on the the two PCs, which I'll call PC1 and PC2.
PC1 is the working one and PC2 is the non-working one.  Both PCs have
eth0 as internal and eth1 as external interfaces.

I've put the info that I thought was relevant here:
http://www.smbmicro.com/~kleinerp/iptables.txt

Please let me know if you require anything else.

Thanks in advance!!!
Pete

RE: Help with port forwarding

[Kleiner, Peter]

Herman wrote:
> Hmm, run lsmod and see whether iptable_mangle is loaded.  
> Contrary to popular 
> belief, that module is absolutely needed to make port 
> forwarding work.  I 
> fought that issue two weeks ago.  See my web site for my howto.
 
Actually, it is not, at least in my case.  I say that because it 
is not loaded on the PC that is working.  But I already tried loading it and
still the non-working PC fails to work properly.

Thanks for the suggestion.

Pete

RE: Help with port forwarding

[Mark E. Donaldson]

Check and see if translation is actually occurring.  The easiest way is to
fire up tcpdump on the out interface, generate some traffic on some known
ports so you can determine the source of the packets, and then check you
tcpdump output and see if the IP was actually translated.  If it is
translating, then you have most likely narrowed your problem down to routing
or an interface configuration problem (run ifconfig and netstat -nr.
If it is not translating, then I would start by checking for properly loaded
modules or kernel configuration (run lsmod).  It has got to be something
fairly simple I would think.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Kleiner, Peter
Sent: Friday, October 24, 2003 6:34 AM
To: 'netfilter@lists.netfilter.org'
Subject: RE: Help with port forwarding


Thus spake Mark E. Donaldson:
> Peter - I don't see anything obvious in the script that could be
> problematic.  What do you mean by "port forwarding not
> working"?
When I run the script as shown, I can telnet through any of the filtered
ports (110, 143, 443) on the working PC, but not on the not-working PC.

> Are you
> getting any error messages?
None whatsoever.  I tried logging the traffic, but nothing showed up.
Interestingly, when I had logging on, it showed various attempts at
port 135:
Oct 21 16:55:45 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44619 DF PROTO=TCP
SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44889 DF PROTO=TCP
SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=45129 DF PROTO=TCP
SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 21 16:59:23 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47221 DF PROTO=TCP
SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 21 16:59:24 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47351 DF PROTO=TCP
SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
[sorry for the long text lines]
But nothing was recorded when I tried to telnet to ports 110, 143 or 443.

> Is translation being performed
> but the packets
> are not routed?
I'm not sure how to tell that.  Possibly.  Running nmap of the public
address shows:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (XX.XX.4.7):
(The 1596 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
25/tcp     open        smtp
110/tcp    filtered    pop-3
143/tcp    filtered    imap2
443/tcp    filtered    https

> I might be able to generate some ideas here
> if you can be
> more specific.
Please let me know what else you need.  I am completely baffled.  Why would
the same
script work on one machine and not the other?  That is why I listed the
lsmod in my
original post.  I wonder if it's something not related to iptables.....?

> By the way, I believe you are meaning to
> block the Auth
> protocol (port 113):  that being the case, you need to
> specify TCP and not
> UDP.
Fixed.  Thanks!

Pete

Re: Help with port forwarding

[Herman]

Hmm, run lsmod and see whether iptable_mangle is loaded.  Contrary to popular 
belief, that module is absolutely needed to make port forwarding work.  I 
fought that issue two weeks ago.  See my web site for my howto.

Cheers,

Herman
http://www.AerospaceSoftware.com


On Friday 24 October 2003 11:17 am, Kleiner, Peter wrote:
   It's already in the script and I've checked several times.
   Thanks for trying, though.

   > -----Original Message-----
   > From: Alistair Tonner [mailto:Alistair@nerdnet.ca]
   > Sent: Friday, October 24, 2003 1:05 PM
   > To: Kleiner, Peter; 'netfilter@lists.netfilter.org'
   > Subject: Re: Help with port forwarding
   >
   >
   > On October 24, 2003 09:34 am, Kleiner, Peter wrote:
   >
   > 	Just a bizarre thought, since you seem to be looking at
   > forwarded traffic not
   > 	getting out .. .did you check
   > /proc/sys/net/ipv4/ip_forward to ensure it
   > exists on PC2 and contains 1? -- not sure why but I have seen
   > an install
   > where it did NOT exist.  -- rebuilt the kernel to fix it ..
   > .so I suppose the
   > kernel that was in place was not properly configured.
   > *shrugs* ... I'm only
   > asking since it wasn't said.. and sometimes the simple answer
   > is the fast
   > one.
   >
   > > Thus spake Mark E. Donaldson:
   > > > Peter - I don't see anything obvious in the script that could be
   > > > problematic.  What do you mean by "port forwarding not
   > > > working"?
   > >
   > > When I run the script as shown, I can telnet through any of
   >
   > the filtered
   >
   > > ports (110, 143, 443) on the working PC, but not on the
   >
   > not-working PC.
   >
   > > > Are you
   > > > getting any error messages?
   > >
   > > None whatsoever.  I tried logging the traffic, but nothing
   >
   > showed up.
   >
   > > Interestingly, when I had logging on, it showed various attempts at
   > > port 135:
   > > Oct 21 16:55:45 gw kernel: IN=eth1 OUT=
   > > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
   > > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44619 DF
   >
   > PROTO=TCP
   >
   > > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
   > > Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
   > > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
   > > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44889 DF
   >
   > PROTO=TCP
   >
   > > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
   > > Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
   > > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
   > > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=45129 DF
   >
   > PROTO=TCP
   >
   > > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
   > > Oct 21 16:59:23 gw kernel: IN=eth1 OUT=
   > > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
   > > DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47221 DF
   >
   > PROTO=TCP
   >
   > > SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
   > > Oct 21 16:59:24 gw kernel: IN=eth1 OUT=
   > > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
   > > DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47351 DF
   >
   > PROTO=TCP
   >
   > > SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
   > > [sorry for the long text lines]
   > > But nothing was recorded when I tried to telnet to ports
   >
   > 110, 143 or 443.
   >
   > > > Is translation being performed
   > > > but the packets
   > > > are not routed?
   > >
   > > I'm not sure how to tell that.  Possibly.  Running nmap of
   >
   > the public
   >
   > > address shows:
   > > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
   > > Interesting ports on  (XX.XX.4.7):
   > > (The 1596 ports scanned but not shown below are in state: closed)
   > > Port       State       Service
   > > 22/tcp     open        ssh
   > > 25/tcp     open        smtp
   > > 110/tcp    filtered    pop-3
   > > 143/tcp    filtered    imap2
   > > 443/tcp    filtered    https
   > >
   > > > I might be able to generate some ideas here
   > > > if you can be
   > > > more specific.
   > >
   > > Please let me know what else you need.  I am completely
   >
   > baffled.  Why would
   >
   > > the same
   > > script work on one machine and not the other?  That is why
   >
   > I listed the
   >
   > > lsmod in my
   > > original post.  I wonder if it's something not related to
   >
   > iptables.....?
   >
   > > > By the way, I believe you are meaning to
   > > > block the Auth
   > > > protocol (port 113):  that being the case, you need to
   > > > specify TCP and not
   > > > UDP.
   > >
   > > Fixed.  Thanks!
   > >
   > > Pete
   >
   > --
   >
   > 	Alistair Tonner
   > 	nerdnet.ca
   > 	Senior Systems Analyst - RSS
   >
   >      Any sufficiently advanced technology will have the
   > appearance of magic.
   > 	Lets get magical!

RE: Help with port forwarding

[Kleiner, Peter]

It's already in the script and I've checked several times.  
Thanks for trying, though.

> -----Original Message-----
> From: Alistair Tonner [mailto:Alistair@nerdnet.ca]
> Sent: Friday, October 24, 2003 1:05 PM
> To: Kleiner, Peter; 'netfilter@lists.netfilter.org'
> Subject: Re: Help with port forwarding
> 
> 
> On October 24, 2003 09:34 am, Kleiner, Peter wrote:
> 
> 	Just a bizarre thought, since you seem to be looking at 
> forwarded traffic not 
> 	getting out .. .did you check 
> /proc/sys/net/ipv4/ip_forward to ensure it 
> exists on PC2 and contains 1? -- not sure why but I have seen 
> an install 
> where it did NOT exist.  -- rebuilt the kernel to fix it .. 
> .so I suppose the 
> kernel that was in place was not properly configured. 
> *shrugs* ... I'm only 
> asking since it wasn't said.. and sometimes the simple answer 
> is the fast 
> one.
> 
> 
> > Thus spake Mark E. Donaldson:
> > > Peter - I don't see anything obvious in the script that could be
> > > problematic.  What do you mean by "port forwarding not
> > > working"?
> >
> > When I run the script as shown, I can telnet through any of 
> the filtered
> > ports (110, 143, 443) on the working PC, but not on the 
> not-working PC.
> >
> > > Are you
> > > getting any error messages?
> >
> > None whatsoever.  I tried logging the traffic, but nothing 
> showed up.
> > Interestingly, when I had logging on, it showed various attempts at
> > port 135:
> > Oct 21 16:55:45 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44619 DF 
> PROTO=TCP
> > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> > Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44889 DF 
> PROTO=TCP
> > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> > Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> > DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=45129 DF 
> PROTO=TCP
> > SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> > Oct 21 16:59:23 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
> > DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47221 DF 
> PROTO=TCP
> > SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
> > Oct 21 16:59:24 gw kernel: IN=eth1 OUT=
> > MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
> > DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47351 DF 
> PROTO=TCP
> > SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
> > [sorry for the long text lines]
> > But nothing was recorded when I tried to telnet to ports 
> 110, 143 or 443.
> >
> > > Is translation being performed
> > > but the packets
> > > are not routed?
> >
> > I'm not sure how to tell that.  Possibly.  Running nmap of 
> the public
> > address shows:
> > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > Interesting ports on  (XX.XX.4.7):
> > (The 1596 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 22/tcp     open        ssh
> > 25/tcp     open        smtp
> > 110/tcp    filtered    pop-3
> > 143/tcp    filtered    imap2
> > 443/tcp    filtered    https
> >
> > > I might be able to generate some ideas here
> > > if you can be
> > > more specific.
> >
> > Please let me know what else you need.  I am completely 
> baffled.  Why would
> > the same
> > script work on one machine and not the other?  That is why 
> I listed the
> > lsmod in my
> > original post.  I wonder if it's something not related to 
> iptables.....?
> >
> > > By the way, I believe you are meaning to
> > > block the Auth
> > > protocol (port 113):  that being the case, you need to
> > > specify TCP and not
> > > UDP.
> >
> > Fixed.  Thanks!
> >
> > Pete
> 
> -- 
> 
> 	Alistair Tonner
> 	nerdnet.ca
> 	Senior Systems Analyst - RSS
> 	
>      Any sufficiently advanced technology will have the 
> appearance of magic.
> 	Lets get magical!
> 

Re: Help with port forwarding

[Alistair Tonner]

On October 24, 2003 09:34 am, Kleiner, Peter wrote:

	Just a bizarre thought, since you seem to be looking at forwarded traffic not 
	getting out .. .did you check /proc/sys/net/ipv4/ip_forward to ensure it 
exists on PC2 and contains 1? -- not sure why but I have seen an install 
where it did NOT exist.  -- rebuilt the kernel to fix it .. .so I suppose the 
kernel that was in place was not properly configured. *shrugs* ... I'm only 
asking since it wasn't said.. and sometimes the simple answer is the fast 
one.


> Thus spake Mark E. Donaldson:
> > Peter - I don't see anything obvious in the script that could be
> > problematic.  What do you mean by "port forwarding not
> > working"?
>
> When I run the script as shown, I can telnet through any of the filtered
> ports (110, 143, 443) on the working PC, but not on the not-working PC.
>
> > Are you
> > getting any error messages?
>
> None whatsoever.  I tried logging the traffic, but nothing showed up.
> Interestingly, when I had logging on, it showed various attempts at
> port 135:
> Oct 21 16:55:45 gw kernel: IN=eth1 OUT=
> MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44619 DF PROTO=TCP
> SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
> MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44889 DF PROTO=TCP
> SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
> MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
> DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=45129 DF PROTO=TCP
> SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
> Oct 21 16:59:23 gw kernel: IN=eth1 OUT=
> MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
> DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47221 DF PROTO=TCP
> SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
> Oct 21 16:59:24 gw kernel: IN=eth1 OUT=
> MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
> DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47351 DF PROTO=TCP
> SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
> [sorry for the long text lines]
> But nothing was recorded when I tried to telnet to ports 110, 143 or 443.
>
> > Is translation being performed
> > but the packets
> > are not routed?
>
> I'm not sure how to tell that.  Possibly.  Running nmap of the public
> address shows:
> Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> Interesting ports on  (XX.XX.4.7):
> (The 1596 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 110/tcp    filtered    pop-3
> 143/tcp    filtered    imap2
> 443/tcp    filtered    https
>
> > I might be able to generate some ideas here
> > if you can be
> > more specific.
>
> Please let me know what else you need.  I am completely baffled.  Why would
> the same
> script work on one machine and not the other?  That is why I listed the
> lsmod in my
> original post.  I wonder if it's something not related to iptables.....?
>
> > By the way, I believe you are meaning to
> > block the Auth
> > protocol (port 113):  that being the case, you need to
> > specify TCP and not
> > UDP.
>
> Fixed.  Thanks!
>
> Pete

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

RE: Help with port forwarding

[Kleiner, Peter]

Thus spake Mark E. Donaldson:
> Peter - I don't see anything obvious in the script that could be
> problematic.  What do you mean by "port forwarding not 
> working"? 
When I run the script as shown, I can telnet through any of the filtered
ports (110, 143, 443) on the working PC, but not on the not-working PC.

> Are you
> getting any error messages?  
None whatsoever.  I tried logging the traffic, but nothing showed up.
Interestingly, when I had logging on, it showed various attempts at
port 135:
Oct 21 16:55:45 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44619 DF PROTO=TCP
SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=44889 DF PROTO=TCP
SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 21 16:55:46 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=63.67.218.114
DST=XX.XX.4.7 LEN=64 TOS=0x00 PREC=0x00 TTL=115 ID=45129 DF PROTO=TCP
SPT=4168 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Oct 21 16:59:23 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47221 DF PROTO=TCP
SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Oct 21 16:59:24 gw kernel: IN=eth1 OUT=
MAC=00:30:21:07:ef:94:00:02:b9:91:7d:40:08:00 SRC=66.156.169.85
DST=XX.XX.4.7 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=47351 DF PROTO=TCP
SPT=2180 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
[sorry for the long text lines]
But nothing was recorded when I tried to telnet to ports 110, 143 or 443.

> Is translation being performed 
> but the packets
> are not routed?
I'm not sure how to tell that.  Possibly.  Running nmap of the public
address shows:
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (XX.XX.4.7):
(The 1596 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                     
25/tcp     open        smtp                    
110/tcp    filtered    pop-3                   
143/tcp    filtered    imap2                   
443/tcp    filtered    https

> I might be able to generate some ideas here 
> if you can be
> more specific.
Please let me know what else you need.  I am completely baffled.  Why would
the same
script work on one machine and not the other?  That is why I listed the
lsmod in my
original post.  I wonder if it's something not related to iptables.....?

> By the way, I believe you are meaning to 
> block the Auth
> protocol (port 113):  that being the case, you need to 
> specify TCP and not
> UDP.
Fixed.  Thanks!

Pete