From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Samad Date: Tue, 11 Dec 2007 08:16:35 +0000 Subject: Re: [LARTC] PAT HOW to - IPTABLES Message-Id: <20071211081635.GC8267@samad.com.au> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============1451373725==" List-Id: References: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> In-Reply-To: <7ed6b0aa0712100220n57ea0e54x628d539621cb6b35@mail.gmail.com> To: lartc@vger.kernel.org --===============1451373725== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ABTtc+pdwF7KHXCz" Content-Disposition: inline --ABTtc+pdwF7KHXCz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 11, 2007 at 12:19:22AM +0100, Radek 'Goblin' Pieczonka wrote: > >>> Suppose, I have 3 mail servers @ DMZ zone with one real ip. the situat= ion >>> as before? >>> >>> in that case, What can I do? >>> =20 >> your could use exim/postfix and route the mail to the right server, but = I=20 >> guess you are trying to find out how to have port 25 on the real ip nat'= ed=20 >> to one of the 3 dmz'ed ip based upon the destination mail address >> >> short answer you can't as far as I know, iptables only looks at src ip /= =20 >> src port & dest ip/dest port. You could write your own plugin module to= =20 >> look into the tcp stream. >> =20 > > based upon destination email address/domain could be done by postfix and= =20 > transports for selected mail/domain to selected server. but there is also= a=20 > possibility of load balancing and failover for set of domains with all=20 > servers working with all the domains for HA and flexibility of computing= =20 > power, then id say take a look at keepalived for both those features. for= =20 > http traffic its actually the same, and also you can consider apache=20 > reverse proxy feature. he only has 1 real ip [silly idea] of course could be really tricky and use an ipv6 to ipv4 address and name = all=20 the dmz servers with ipv6 (in dns as well), really relying upon clients to = be=20 ipv6 enable [/silly idea] > > --=20 > Radek aka Goblin > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > --ABTtc+pdwF7KHXCz Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHXkdjkZz88chpJ2MRAiSzAJ4+Ngfbklwv+ChoLpAppB8hgssvfgCfYhwQ nE3L3KXcrP0JiH5qxsKjV3s= =gWYd -----END PGP SIGNATURE----- --ABTtc+pdwF7KHXCz-- --===============1451373725== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============1451373725==--