mail server problem

mail server problem

[Roberto Rossi]

[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

Hello all,

I've a range of 30 public internet addresses to manage starting, say, from 213.25.24.0 to 213.25.24.31 netmask of course 255.255.255.224.

My firewall (Red Hat 9.0, latest kernel) public IP is 213.25.24.30 the router address is 213.25.24.1 and the LAN network is 10.1.0.0/16.

I've an internal mail server, say, 10.1.1.2 which I would like to see from the outside as 213.25.24.3, one IP of my range.

Except DNS registration, what are the correct steps to make this possible?

I just set this rule on my firewall:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 213.25.24.3 --dport 25 -j DNAT --to 10.1.1.2:25

but I guess it's not enough because it's not working.

A help is really appreciated, thanks in advance.

Roberto - Italy    

[-- Attachment #2: Type: text/html, Size: 1884 bytes --]

mail server problem

[Roberto Rossi]

[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

Hello all,

I've a range of 30 public internet addresses to manage starting, say, from 213.25.24.0 to 213.25.24.31 netmask of course 255.255.255.224.

My firewall (Red Hat 9.0, latest kernel) public IP is 213.25.24.30 the router address is 213.25.24.1 and the LAN network is 10.1.0.0/16.

I've an internal mail server, say, 10.1.1.2 which I would like to see from the outside as 213.25.24.3, one IP of my range.

Except DNS registration, what are the correct steps to make this possible?

I just set this rule on my firewall:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 213.25.24.3 --dport 25 -j DNAT --to 10.1.1.2:25

but I guess it's not enough because it's not working.

A help is really appreciated, thanks in advance.

Roberto - Italy    

[-- Attachment #2: Type: text/html, Size: 1884 bytes --]

Re: mail server problem

[Antony Stone]

On Monday 10 November 2003 9:48 am, Roberto Rossi wrote:

> Hello all,
>
> I've a range of 30 public internet addresses to manage starting, say, from
> 213.25.24.0 to 213.25.24.31 netmask of course 255.255.255.224.
>
> My firewall (Red Hat 9.0, latest kernel) public IP is 213.25.24.30 the
> router address is 213.25.24.1 and the LAN network is 10.1.0.0/16.
>
> I've an internal mail server, say, 10.1.1.2 which I would like to see from
> the outside as 213.25.24.3, one IP of my range.
>
> Except DNS registration, what are the correct steps to make this possible?
>
> I just set this rule on my firewall:
> iptables -t nat -A PREROUTING -p tcp -i eth0 -d 213.25.24.3 --dport 25 -j
> DNAT --to 10.1.1.2:25
>
> but I guess it's not enough because it's not working.

You need two more things:

1. A FORWARDing rule to allow the traffic through:

iptables -A FORWARD -p tcp --dport 25 -d 10.1.1.2 -j ACCEPT

(note that this rule uses the true destination address, because the FORWARD 
chain comes after the PREROUTING chain, so the DNAT has already been done.)

2. An ARP response on the external interface so your router knows that 
213.25.24.3 can be found there:

old method:
ifconfig eth0:1 213.25.24.3

new method:
ip addr add dev eth0 213.25.24.3


Antony.

-- 

What I don't know far exceeds what I know, but unfortunately, it is far 
easier to write about what I know than about what I don't know.

 - Kevin Kelly, Out of Control
                                                     Please reply to the list;
                                                           please don't CC me.

Re: mail server problem

[netfilter]

On Mon, Nov 10, 2003 at 09:58:53AM +0000, Antony Stone wrote:
> 
> You need two more things:
> 
> 1. A FORWARDing rule to allow the traffic through:
> 
> iptables -A FORWARD -p tcp --dport 25 -d 10.1.1.2 -j ACCEPT
> 
> (note that this rule uses the true destination address, because the FORWARD 
> chain comes after the PREROUTING chain, so the DNAT has already been done.)
> 
> 2. An ARP response on the external interface so your router knows that 
> 213.25.24.3 can be found there:
> 
> old method:
> ifconfig eth0:1 213.25.24.3
> 
> new method:
> ip addr add dev eth0 213.25.24.3
> 
If I have a network routed to my linux box say 192.168.1.0/24, do I still have
to add every IP on the subnet if I want to be able to use NATing for the entire
subnet? Also doesn't adding 250 IP addresses to a NIC affect performance?


====
Tomas Edwardsson

> 
> Antony.

Re: mail server problem

[Antony Stone]

On Monday 10 November 2003 10:15 am, netfilter@tommi.org wrote:

> > ip addr add dev eth0 213.25.24.3
>
> If I have a network routed to my linux box say 192.168.1.0/24, do I still
> have to add every IP on the subnet if I want to be able to use NATing for
> the entire subnet?

You need to add every IP address for which you want an interface to accept 
packets on a local subnet.   Otherwise the upstream router won't know where 
to send them becaause nothing responds to ARP requests.

> Also doesn't adding 250 IP addresses to a NIC affect performance?

I'm inclined to say "no", however someone's bound to say "it affects it by 
some miniscule amount", so I'll say "it affects the performance of the box a 
lot less than does routing the traffic you want to push through it".

If you don't like the idea of adding 250 addresses to an interface, simply 
change your network layout so that those addresses are being routed through 
the netfilter machine, rather than existing on a subnet it is directly 
connected to, then you can do the DNAT and the FORWARD without needing thr 
address attached to the interface.

Antony.

-- 

Most people have more than the average number of legs.
                                                     Please reply to the list;
                                                           please don't CC me.

RE: mail server problem

[MOUDARIR Mohamed]

[-- Attachment #1: Type: text/plain, Size: 1161 bytes --]

May be you should also add this rule :
iptables -A FORWARD -p TCP -i eth0 -o eth1 -d 10.1.1.2 --dport 25 -j allowed
eth1 is your NIC connected to your private LAN network is 10.1.0.0/16.

-----Message d'origine-----
De : Roberto Rossi [mailto:roberto.rossi@smc.it]
Envoyé : vendredi 7 novembre 2003 15:10
À : netfilter@lists.netfilter.org
Objet : mail server problem



Hello all,
 
I've a range of 30 public internet addresses to manage starting, say, from
213.25.24.0 to 213.25.24.31 netmask of course 255.255.255.224.
 
My firewall (Red Hat 9.0, latest kernel) public IP is 213.25.24.30 the
router address is 213.25.24.1 and the LAN network is 10.1.0.0/16.
 
I've an internal mail server, say, 10.1.1.2 which I would like to see from
the outside as 213.25.24.3, one IP of my range.
 
Except DNS registration, what are the correct steps to make this possible?
 
I just set this rule on my firewall:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 213.25.24.3 --dport 25 -j
DNAT --to 10.1.1.2:25

but I guess it's not enough because it's not working.
 
A help is really appreciated, thanks in advance.
 
Roberto - Italy    


[-- Attachment #2: Type: text/html, Size: 2858 bytes --]