Re: NAT on the same network

[Grant Taylor <gtaylor@riverviewtech.net>]

On 05/28/08 15:10, Matton wrote:
> I ave an mail server who can only receive mail from mail-relay for 
> adresses rewriting. Then I build rules to forward connection to the 
> mail-relay if the source is not the mail-relay.

<snip>

> From proxy2 y ave the connection on the mail-server, fine. for other 
> machine I ave a log for the PREROUTING the log for the POSTROUTING 
> but the connection c'ant be up to the mail-relay ( proxy2 )

Let me see if I understand what you are wanting to do correctly or not. 
  It sounds like you are wanting to DNAT any traffic to any SMTP server 
to a specific SMTP server with in your network with the exception of the 
target SMTP server in your network.

In other words redirect any SMTP traffic over to "Bob" unless the source 
is "Bob" and then let "Bob" send to who ever he wants to.

> What can I do ?

You are close with your DNATing rules except for the fact that when 
"Bob" replies to "Tom" (who is on your network) "Bob's" reply will not 
pass through the system that did the redirecting.  This means that "Tom" 
will see a packet from "Bob" that he has no idea where it came from and 
as such hang up on "Bob".

To make this work, you need to SNAT the traffic that is being redirected 
to "Bob" as well as DNATing to "Bob".  This will make "Bob" think the 
traffic came from the system that did the redirecting and as such reply 
to the system that did the redirecting.  When the system that did the 
redirecting gets "Bob's" reply, it will send it back to "Tom" who sent 
the original request that got redirected.

> Thanks for your help

*nod*



Grant. . . .