Indunil Jayasooriya wrote:
FIRST firewall (its internet ip address - 1.2.3.4/29
<http://1.2.3.4/29>) I have addes below rule.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 1.2.3.4 <http://1.2.3.4>
--dport 25 -j DNAT --to-destination 2.3.4.5:25 <http://2.3.4.5:25>
That should forward port 25 to SECOND firewall. in SECOND firewall, I
have added 2 below rules.
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 2.3.4.5 <http://2.3.4.5>
--dport 25 -j DNAT --to-destination 192.168.100.3:25
<http://192.168.100.3:25>
iptables -A FORWARD -p tcp -d 192.168.100.3 <http://192.168.100.3>
--dport 25 -m state --state NEW -j ACCEPT
First run tcpdump* or the like on the smtp box to see that incoming
packets arrive. If they don't, see if they arrive on 2.3.4.5 etc.
If they arrive at the destination see how much they go back (tcpdump on
the firewall boxes).
Btw, assuming both of your firewall boxes have similar iptables
rulesets, shouldn't the first one also have a -t filter -A FORWARD ...
-j ACCEPT rule? Make sure you also have the ESTABLISHED,RELATED -j
ACCEPT rules.
And have you made sure that the smtp box accepts connections from
anywhere? Is your MTA listening on the external interface?
* - tcpdump -i eth0 port 25
Regards,
--
Aleksander Kamenik
system administrator
+372 6659 649
aleksander@xxxxxxxxxxxxxxx
Krediidiinfo AS
http://www.krediidiinfo.ee/
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
