From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall?
Date: Thu, 5 May 2005 17:34:58 -0400 [thread overview]
Message-ID: <20050505213458.GA24884@bender.817west.com> (raw)
In-Reply-To: <c0e9781f05050509315ff51a77@mail.gmail.com>
On Thu, May 05, 2005 at 05:31:54PM +0100, Greg Cope wrote:
> Hi all,
>
> I have an iptables firewall that has 3 ethernet cards,
> eth0(Red/internet) , eth1 (DMZ), eth2 (lan)
>
> eth0 has a few alias;
>
> eth0 (217.154.55.249) gateway
> eth0:1 (217.154.55.250) for the mail server - an A record for mail.e-dba.net
> eth0:2 (217.154.55.253) for a webserver
> eth0:3 (217.154.55.245) another alias for a host on the DMZ
>
> When sending trafic from this firewall host or any host behind it the
> trafic leaves from eth0 (217.154.55.249).
>
> The firewalls default gateway router is an ADLS ethernet modem on 217.154.55.241
>
> However mail (SMTP) trafic goes in via 217.154.55.250, and I would
> like it to go out via 217.154.55.250 as this has the correct
> (mail.e-dba.net) PTR records.
<--snip crazy routing stuff-->
sounds like you want 1-to-1 NAT for the mail server, which takes 2 NAT
rules (one for connections initiated *to* the mailserver, and one for
connections initiated *from* the mailserver):
iptables -t nat -A PREROUTING -i eth0 -d 217.154.55.250 \
-j DNAT --to-destination $MAILSRV_PRIV_IP
iptables -t nat -A POSTROUTING -o eth0 -s $MAILSRV_PRIV_IP \
-j SNAT --to-source 217.154.55.250
sounds like you already have the 1st rule in place. make sure the 2nd
rule comes *before* any outbound SNAT/MASQ rule that is less specific.
-j
--
"Dennis Miller: I don't want to go on a rant, here, but America's
foreign policy makes about as much sense as Beowulf having sex
with Robert Fulton at the first battle of Antietam. I mean when
a neo-conservative defenestrates it's like Raskolnikov filibuster
deoxymonohydroxinate...
Peter: What the hell does rant mean?"
--Family Guy
next prev parent reply other threads:[~2005-05-05 21:34 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-05 16:31 How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall? Greg Cope
2005-05-05 21:34 ` Jason Opperisano [this message]
2005-05-06 14:36 ` Greg Cope
2005-05-06 14:40 ` Jason Opperisano
2005-05-06 14:57 ` How to Get a DMZ hosts's trafic routed via a particular IP address on a firewall - NOW solved Greg Cope
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050505213458.GA24884@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.