* NAT on the same network
@ 2008-05-28 20:10 Matton
2008-05-29 1:04 ` Grant Taylor
0 siblings, 1 reply; 4+ messages in thread
From: Matton @ 2008-05-28 20:10 UTC (permalink / raw)
To: netfilter
Hi all,
I ave an mail server who can only receive mail from mail-relay for adresses
rewriting.
Then I build rules to forward connection to the mail-relay if the source is not
the mail-relay.
following the rules To do that:
ip_forward=1
PROXY2=10.97.200.156
SMTP=25
MYIP=10.97.24.76
iptables -t nat -N LOG_SNAT
iptables -t nat -A LOG_SNAT -j LOG --log-prefix '[IPT_SNATSMTP]'
iptables -t nat -A LOG_SNAT -j SNAT --to-source ${MYIP}
iptables -t nat -N LOG_NATSMTP
iptables -t nat -A LOG_NATSMTP -j LOG --log-prefix '[IPT_NATSMTP]'
iptables -t nat -A LOG_NATSMTP -j DNAT --to-destination ${PROXY2}
iptables -t nat -A PREROUTING -s ! {PROXY2} -p tcp --dport ${SMTP} -j
LOG_NATSMTP
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport ${SMTP} -j LOG_SNAT
From proxy2 y ave the connection on the mail-server, fine.
for other machine I ave a log for the PREROUTING the log for the POSTROUTING
but
the connection c'ant be up to the mail-relay ( proxy2 )
What can I do ?
Thanks for your help
Jean-Louis--
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: NAT on the same network
2008-05-28 20:10 NAT on the same network Matton
@ 2008-05-29 1:04 ` Grant Taylor
2008-05-29 8:24 ` Jan Engelhardt
0 siblings, 1 reply; 4+ messages in thread
From: Grant Taylor @ 2008-05-29 1:04 UTC (permalink / raw)
To: Mail List - Netfilter
On 05/28/08 15:10, Matton wrote:
> I ave an mail server who can only receive mail from mail-relay for
> adresses rewriting. Then I build rules to forward connection to the
> mail-relay if the source is not the mail-relay.
<snip>
> From proxy2 y ave the connection on the mail-server, fine. for other
> machine I ave a log for the PREROUTING the log for the POSTROUTING
> but the connection c'ant be up to the mail-relay ( proxy2 )
Let me see if I understand what you are wanting to do correctly or not.
It sounds like you are wanting to DNAT any traffic to any SMTP server
to a specific SMTP server with in your network with the exception of the
target SMTP server in your network.
In other words redirect any SMTP traffic over to "Bob" unless the source
is "Bob" and then let "Bob" send to who ever he wants to.
> What can I do ?
You are close with your DNATing rules except for the fact that when
"Bob" replies to "Tom" (who is on your network) "Bob's" reply will not
pass through the system that did the redirecting. This means that "Tom"
will see a packet from "Bob" that he has no idea where it came from and
as such hang up on "Bob".
To make this work, you need to SNAT the traffic that is being redirected
to "Bob" as well as DNATing to "Bob". This will make "Bob" think the
traffic came from the system that did the redirecting and as such reply
to the system that did the redirecting. When the system that did the
redirecting gets "Bob's" reply, it will send it back to "Tom" who sent
the original request that got redirected.
> Thanks for your help
*nod*
Grant. . . .
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-05-29 16:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-28 20:10 NAT on the same network Matton
2008-05-29 1:04 ` Grant Taylor
2008-05-29 8:24 ` Jan Engelhardt
2008-05-29 16:35 ` Grant Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
