Re: Port Forwarding for port 25 (again...)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Monday 24 February 2003 07:54 pm, Magnus Solvang wrote:
> I have a firewall set up with an internal (192.168.1.20) and
> an external ip-address (x.x.x.49). The former mailserver for
> this domain has been placed on the LAN, and given the address
> 192.168.1.101. MX for the domain still points to its old
> ip-address (x.x.x.34). The firewall is behind the router for
> the external domain.
>
> I'm can't seem to be able to forward smtp-traffic from x.x.x.34
> to 192.168.1.101 via the firewall. I _am_ able to forward port
> 25 from the firewalls external interface to the mailserver behind,
> but as mentioned - not from the former ip-address of the mailserver,
> and to the new internal address.
>
> I have tried numerous versions of:
> $IPTABLES -t nat -A PREROUTING -i $INET_NCARD -d x.x.x.34 -p tcp \
> --dport 25 -j DNAT --to-destination 192.168.1.101:25
>
> But a telnet to the old, external ip-address of the mailserver
> just hangs (untill it returns a "No route to host".

Which sums it up pretty accurately, I suspect.  If the firewall has an 
external IP x.y.z.49, then it will handle traffic to that IP.  If the MX 
(or your telnet test) points to x.y.z.34, then the upstream router will 
be looking for something that responds to _that_ IP.  If it cannot find 
anything using that IP, then there is no route.  Presuming that x.y.z 
are the same in both cases, you may get the results you want with:

ifconfig eth0:1 add x.y.z.34

Where eth0 would be the interface with x.y.z.49 on it, $INET_NCARD in 
your rule above.  This will create a second 'virtual' interface that 
responds to this second IP, in addition to the main eth0 responding to 
the present firewall IP.  The interface will still be referred to as 
eth0 in iptables rules, but it will now handle both IPs.  DNAT will be 
reversed properly, so return traffic will appear to come from x.y.z.34 
without further work, but if you need the mailserver to initiate 
connections that appear to come from that IP then you will need to 
explicitly SNAT those connections, otherwise it will appear as x.y.z.49 
if it makes a new connection.

j
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux