From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: "DNAT" w/o changing source address?
Date: Thu, 04 Oct 2007 16:59:34 +0200 [thread overview]
Message-ID: <4704FFD6.8050304@plouf.fr.eu.org> (raw)
In-Reply-To: <1191507779.13379.50.camel@localhost.localdomain>
John Madden a écrit :
>>If traffic does not flow without it, it could mean that the mail server
>>does not send the reply traffic back to the NAT box. This is a routing
>>problem. Does the mail server use the NAT box as its default gateway ?
>
> Ah, now we're getting somewhere. No, the mail server doesn't use the
> NAT box as it's default gateway, it's using a general default route
> somewhere else in the network for it. The NAT box and the mail server
> are on different VLAN's, but that's about all that separates them --
Do you mean that they are in different subnets ?
> both have globally routable IP's.
Private/public addressing does not matter here. You can have public
addresses behind a NAT box, although it may sound unusual (NAT is mostly
used to hide private addressing when you don't have enough public
addresses). The important word is "behind", meaning that traffic in both
directions flows through the NAT box. This is important because the NAT
box changed the source and/or destination address on the original
traffic, so it must put it back on the reply traffic in order for the
client to accept it as a reply. It's not the SNAT rule which puts the
original address back, it only makes the server see the NAT box as the
client and send the reply traffic back to it. But the drawback is that
the server does not see the real client source address.
Without SNAT, the mail server could use the NAT box as a gateway at
least for SMTP reply traffic (this could be done with advanced routing
if the mail server runs Linux) if they are in the same subnet or if a
tunnel can be established directly between them.
> I'm literally just trying to emulate the functionality of LVS here,
> where port 80 on an IP goes to one machine and port 25 goes somewhere
> else.
Sorry, I do not know how LVS works. I just know how Netfilter NAT works.
next prev parent reply other threads:[~2007-10-04 14:59 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-03 15:21 "DNAT" w/o changing source address? John Madden
2007-10-03 23:35 ` Grant Taylor
2007-10-03 23:50 ` Pascal Hambourg
2007-10-04 1:17 ` Grant Taylor
2007-10-04 13:14 ` John Madden
2007-10-04 13:14 ` John Madden
2007-10-04 14:09 ` Grant Taylor
2007-10-04 14:19 ` John Madden
2007-10-04 15:13 ` Grant Taylor
2007-10-04 14:17 ` Pascal Hambourg
2007-10-04 14:22 ` John Madden
2007-10-04 14:59 ` Pascal Hambourg [this message]
2007-10-04 15:13 ` John Madden
2007-10-04 15:29 ` Grant Taylor
2007-10-04 19:33 ` Grant Taylor
2007-10-04 16:01 ` Pascal Hambourg
2007-10-04 15:23 ` Grant Taylor
2007-10-04 15:52 ` Pascal Hambourg
2007-10-04 19:12 ` Grant Taylor
2007-10-04 19:25 ` John Madden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4704FFD6.8050304@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.