iptables DNAT issue

[mike () omnipod com]

I am having a recurring issue with DNAT on a linux/iptables based
firewall.  The setup is reasonably simple, with a few network cards in the
fw, one servicing a private network, one for the inet connetcion and 3
bridged together servicing a DMZ.

The issue is that when I add a DNAT rule (incoming or outgoing), it
doesn't want to go away without a reboot.  Here is a working example:

I forward port 25 incoming to a mail server on the DMZ.
OOPS, I mistyped the destination port, and port 25 gets forwarded to port
23 instead (no I didn't really do that).
I alter the iptables script to forward correctly, and re-run it.
(the script in question flushes ALL iptables rules before re-creating
them all)
I see it is still forwarding to the wrong port, so I manually clear all
rules, then rerun the script.
Telnetting to port 25 on the firewall from the outside /still/ forwards me
to port 23 on the DMZ machine (even though there is no rule to account for
this now)

If I reboot, this will finally go away.  I thought at first this may be a
problem with an established connection sticking around, and the rule not
clearing because of this, but netstat on neither the firewall nor the
target DMZ machine shows any connections on the forwarded ports, so this
seems unlikely (didn't know if that would have been normal anyway).

Relevant info:
iptables 1.2.5
kernel 2.4.18
bridge-utils   0.9.5 (I have had no problems at all w/ bridging but I
thought it might be relevant)

DNAT rule (the proper one):
$IPTABLES -A PREROUTING -t nat -i $EXTERNAL_IF -p tcp -d $EXTERNAL_IP
--dport 25 \
                      -j DNAT --to $MAIL_SERVER:25
$IPTABLES -A FORWARD -i $EXTERNAL_IF -p tcp -d $MAIL_SERVER --dport 25 -j
ACCEPT

(outside ports are opened with a different rule, but this is known
working)

Much thanks in advance.

Mike Culbertson

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards