From: Joel Newkirk <netfilter@newkirk.us>
To: Magnus Solvang <magnus@solvang.net>, netfilter@lists.samba.org
Subject: Re: Port Forwarding for port 25 (again...)
Date: Mon, 24 Feb 2003 21:53:47 -0500 [thread overview]
Message-ID: <200302242153.47253.netfilter@newkirk.us> (raw)
In-Reply-To: <20030225005407.GA28447@first.knowledge.no>
On Monday 24 February 2003 07:54 pm, Magnus Solvang wrote:
> I have a firewall set up with an internal (192.168.1.20) and
> an external ip-address (x.x.x.49). The former mailserver for
> this domain has been placed on the LAN, and given the address
> 192.168.1.101. MX for the domain still points to its old
> ip-address (x.x.x.34). The firewall is behind the router for
> the external domain.
>
> I'm can't seem to be able to forward smtp-traffic from x.x.x.34
> to 192.168.1.101 via the firewall. I _am_ able to forward port
> 25 from the firewalls external interface to the mailserver behind,
> but as mentioned - not from the former ip-address of the mailserver,
> and to the new internal address.
>
> I have tried numerous versions of:
> $IPTABLES -t nat -A PREROUTING -i $INET_NCARD -d x.x.x.34 -p tcp \
> --dport 25 -j DNAT --to-destination 192.168.1.101:25
>
> But a telnet to the old, external ip-address of the mailserver
> just hangs (untill it returns a "No route to host".
Which sums it up pretty accurately, I suspect. If the firewall has an
external IP x.y.z.49, then it will handle traffic to that IP. If the MX
(or your telnet test) points to x.y.z.34, then the upstream router will
be looking for something that responds to _that_ IP. If it cannot find
anything using that IP, then there is no route. Presuming that x.y.z
are the same in both cases, you may get the results you want with:
ifconfig eth0:1 add x.y.z.34
Where eth0 would be the interface with x.y.z.49 on it, $INET_NCARD in
your rule above. This will create a second 'virtual' interface that
responds to this second IP, in addition to the main eth0 responding to
the present firewall IP. The interface will still be referred to as
eth0 in iptables rules, but it will now handle both IPs. DNAT will be
reversed properly, so return traffic will appear to come from x.y.z.34
without further work, but if you need the mailserver to initiate
connections that appear to come from that IP then you will need to
explicitly SNAT those connections, otherwise it will appear as x.y.z.49
if it makes a new connection.
j
next prev parent reply other threads:[~2003-02-25 2:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-25 0:54 Port Forwarding for port 25 (again...) Magnus Solvang
2003-02-25 2:53 ` Joel Newkirk [this message]
2003-02-25 3:33 ` Magnus Solvang
2003-02-25 22:54 ` Willem Oldeman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200302242153.47253.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=magnus@solvang.net \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox