-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 on Sat, Jul 03, 2004 at 05:18:06PM -0500, Gregory Nowak wrote: > Hi all. > > I am trying to setup iptables to transparently redirect out-bound > traffic to any host on port 25 to instead go to IP address > aaa.bbb.ccc.ddd on port 25. So, after doing some searching with > google, and some playing around, I have the following line in my > firewall script: > > iptables -t nat -A POSTROUTING -p tcp -o $eth0 --dport 25 -j DNAT > --to-source aaa.bbb.ccc.ddd - From a quick look at the iptables man page I see: This target is only valid in the nat table, in the PREROUTING and OUTPUT chains, and user-defined chains which are only called from those chains. It specifies that the destination address of the packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined. So it looks like you need to put it in prerouting instead of postrouting. > When I run my firewall script to make the new changes take effect, I > get no errors, but I still don't get the desired effect (I.E. doing > telnet speech.braille.uwo.ca 25 for example, still gives me Trying > 129.100.109.30... instead of Trying aaa.bbb.ccc.ddd... I think if it is done correctly you will get this result, but you should get the prompt message from aaa.bbb.cccc.ddd Remember the trying whatever message is coming from telnet not over the connection and as far as telnet is concerned it is connecting to 129.100.109.30. If I understand corectly this is the essence of transparency. > Can someone please show me what I'm doing wrong, because everything > looks right to me, (although it obviously isn't), and I'm out of > ideas. If the above don't work then so am I. > BTW, I'd prefer to use a full host name in iptables, instead of the IP > address, however, I get an error when I try that. Am I missing > something here as well? Thanks for any help in advance. This host name would be resolved at the time the rules are loaded and then would not be changed if the DNS records changed. This is likely to lead to strange behavior eventually. - -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan Thomas Stivers e-mail: stivers_t at tomass.dyndns.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA50AT5JK61UXLur0RAjlLAJ9KUPmRHxnvJJrmywm07nH7Hw1RqgCfZXlw Iqx+Sa/OYG0QQuQKPJCyDGE= =IrfN -----END PGP SIGNATURE-----
