Hi, I'm very new to linux but have been trying some advanced configurations. Sorry if this is a long post but I've tried a lot of things already and I want to give proper context.

I've set up a ubuntu 12.04 server as a router with port forwarding (issue is with smtp). I've poured over all the information I could Google on it and I'm 90% there, just have a few weird issues. My guess is I don't have UFW configured correctly either on the router or on the mail server.

I'm running an ubuntu 12.04.4 LTS VM on Hyper-V (I know, Virtualbox or VMware are far better but it is what it is). eth0 is configured with a public IP, eth1 is a private LAN address 10.0.0.1 in my DMZ. I also have another ubuntu server as an internal firewall separating my DMZ from my internal network, it has an interface configured with DMZ IP 10.0.0.254. My destination http/https servers are currently on my internal network, i haven't moved them to the DMZ yet so port forwarding passes through the internal fw. The smtp server is on the DMZ subnet with IP 10.0.0.50 (another ubuntu server with scrollout f1 mail gw which uses postfix).

I've got NAT working fine and set up port forwarding for 80, 443, 25 and a custom port 1616. The weirdness is that 80, 443 and 1616 forward just fine but 25 isn't forwarding. I verified with my ISP they are not blocking it and it was working prior to Jul 3 on a previous server (hard drive filled up and server crashed, I tried to expand drive but hosed it instead, so I had to rebuild).

All of the port forwarding rules are configured exactly the same in before.rules so I doubt thats the issue since all work except the one smtp rule. I have UFW on the router configured with the following rules:

I have UFW configured on the smtp server with the following rules:

I also enabled ufw logging on both servers but it doesn't show any activity (block or allow).

Last thing is when I try to telnet to the public IP from the public internet, it times out like nothing is listening on 25. I can telnet from the 10.0.0.1 and 10.0.0.254 routers to the mail gw with no problem. I can telnet from my internal Exchange server to the mail gw with no problem. This points me to the router passing traffic from the public IP to the DMZ IP and forwarding it to the mail gw.

I'm happy to post additional configs as needed. Any help or suggestions of where the look next is greatly appreciated!

Note: The IPs have been changed to protect the innocent.

Just to check...
You have one host 10.0.0.254 for which it works and one host 10.0.0.50 for which it fails.
Could it be a problem with your host machine 10.0.0.50 instead of with the forwarding?

I can telnet on 25 to the smtp server (10.0.0.50) from any DMZ or LAN IP, 10.0.0.1 (DMZ perimeter FW), 10.0.0.254 (Internal FW) and anything behind the internal FW, 10.10.0.0/24. But after messing with it all day today, now when I telnet from a public IP, it will establish a connection, I get no response from the smtp server, then the connection drops.

Also it is entirely possible its the 10.0.0.50 host. It was a fresh install though. I did make a lot of changes to ufw and consequently iptables. Does it cache any of the old settings or something like that?

The changes you apply to iptables should be immediate.

But I have a different question.
I see that you allow all data to pass,
But do you also force all data arriving at the external FW to port 25 of 10.0.0.50?
That is something I do not see in your configuration.

The only place I force sending 25 traffic is in before.rules:

I also have since changed my UFW rules based on more articles I've been reading:

Your rule for prerouting seems to work based on comparisons with a google search.
Could you check if it also works if you add a similar rule for port 80, 443 or 1616?
This way you can check whether it is in the NAT and forwarding or in the host.

In hindsight, I probably should have posted the whole nat section for comparison. Yes, the rules are the same, I added the smtp rule later and used those as a template:

I ran some more tests and I think the forwarding is working because I can telnet in from outside now but I get no response, like the connection is established but gets nothing back. Someone else on another board I posted to suggested the smtp server may be sending responses on a different route. Is that possible and how would I check that? I really appreciate the help!

This certainly does not answer your specific question, but you might want to check out the opensource project, Shorewall ( http://bit.ly/1nc0zEJ ), as is makes dealing with IP tables much easier. The author is very helpful as is the community around the project. The web site's documentation is also very detailed and contains many examples. It is really worth using if you are going to do any extensive work with IP Tables.

Yeah I didn't see Shorewall until well after I had already gotten deep into using UFW to manage iptables and I'd like to get things back up and running before taking on a new application to learn. I appreciate the suggestion though, it is something I planned on looking into later.

I've fixed the issue, was a variety of causes. My fw rules were fine and it was forwarding correctly but I didn't have my adapters configured with the correct gateways so there was no route out. Also my ISP was blocking smtp out. All is working now, thanks all for the help.