NAT on the same network

NAT on the same network

[Matton]

Hi all,

I ave an mail server who can only receive mail from mail-relay for adresses
rewriting.
Then I build rules to forward connection to the mail-relay if the source is not
the mail-relay.
following the rules To do that:
ip_forward=1

PROXY2=10.97.200.156
SMTP=25
MYIP=10.97.24.76


iptables -t nat -N LOG_SNAT
iptables -t nat -A LOG_SNAT -j LOG --log-prefix '[IPT_SNATSMTP]'
iptables -t nat -A LOG_SNAT -j SNAT --to-source ${MYIP}


iptables -t nat -N LOG_NATSMTP
iptables -t nat -A LOG_NATSMTP -j LOG --log-prefix '[IPT_NATSMTP]'
iptables -t nat -A LOG_NATSMTP -j DNAT --to-destination ${PROXY2}

iptables -t nat -A PREROUTING  -s ! {PROXY2} -p tcp --dport ${SMTP} -j
LOG_NATSMTP
iptables -t nat -A POSTROUTING  -o eth0 -p tcp --dport ${SMTP} -j LOG_SNAT

From proxy2 y ave the connection on the mail-server, fine.
for other machine I ave a log for the PREROUTING the log for the POSTROUTING
but
the connection c'ant be up to the mail-relay ( proxy2 )

What can I do ?

Thanks for your help
Jean-Louis--

Re: NAT on the same network

[Grant Taylor]

On 05/28/08 15:10, Matton wrote:
> I ave an mail server who can only receive mail from mail-relay for 
> adresses rewriting. Then I build rules to forward connection to the 
> mail-relay if the source is not the mail-relay.

<snip>

> From proxy2 y ave the connection on the mail-server, fine. for other 
> machine I ave a log for the PREROUTING the log for the POSTROUTING 
> but the connection c'ant be up to the mail-relay ( proxy2 )

Let me see if I understand what you are wanting to do correctly or not. 
  It sounds like you are wanting to DNAT any traffic to any SMTP server 
to a specific SMTP server with in your network with the exception of the 
target SMTP server in your network.

In other words redirect any SMTP traffic over to "Bob" unless the source 
is "Bob" and then let "Bob" send to who ever he wants to.

> What can I do ?

You are close with your DNATing rules except for the fact that when 
"Bob" replies to "Tom" (who is on your network) "Bob's" reply will not 
pass through the system that did the redirecting.  This means that "Tom" 
will see a packet from "Bob" that he has no idea where it came from and 
as such hang up on "Bob".

To make this work, you need to SNAT the traffic that is being redirected 
to "Bob" as well as DNATing to "Bob".  This will make "Bob" think the 
traffic came from the system that did the redirecting and as such reply 
to the system that did the redirecting.  When the system that did the 
redirecting gets "Bob's" reply, it will send it back to "Tom" who sent 
the original request that got redirected.

> Thanks for your help

*nod*



Grant. . . .

Re: NAT on the same network

[Jan Engelhardt]

On Thursday 2008-05-29 03:04, Grant Taylor wrote:
>> What can I do ?
>
> You are close with your DNATing rules except for the fact that when "Bob"
> replies to "Tom" (who is on your network) "Bob's" reply will not pass through
> the system that did the redirecting.  This means that "Tom" will see a packet
> from "Bob" that he has no idea where it came from and as such hang up on "Bob".

In other words... *drumroll*
http://jengelh.medozas.de/images/dnat-mistake.png :-)

> To make this work, you need to SNAT the traffic [...]

Therefore making bug hunting harder because the wrong IP address
shows up in the logs on the final host.

Re: NAT on the same network

[Grant Taylor]

On 05/29/08 03:24, Jan Engelhardt wrote:
> In other words... *drumroll*
> http://jengelh.medozas.de/images/dnat-mistake.png :-)
> 
> Therefore making bug hunting harder because the wrong IP address
> shows up in the logs on the final host.

*nod* *nod* *nod*

I wish this was documented as a "Gotcha" or something similar in the 
LARTC.  (At least the last time I looked at it this was not in there.)



Grant. . . .