This is a commonly asked question and the answer is real simple if you think about it..
You must DNAT to the internal IP address which is what you've already done for external to mx.<domain> and you must do the same for the internal clients with once extra step, you must change the source like you do if the client were MASQUERADED to the outside world. My must treat the mx.<domain> as if it was outside too..
iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \
-j DNAT --to 192.168.0.3
# Masquerade the internal client so packets are forced back via the firewall
iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \
-j SNAT --to 192.168.0.1
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@xxxxxxxxxxxxxxxxxxxxxx
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
Phone : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
> -----Original Message-----
> From: Carlo Florendo [mailto:carlo@xxxxxxxxxxx]
> Sent: Friday, 17 October 2003 2:56 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: local DNAT with bind,postfix,and iptables
>
>
> Hello,
>
> I have a box which runs bind, postfix, and iptables. (Box A)
> This box has 2 interfaces. One facing the net and the other
> the internal
> network
>
> There's another box behind the firewall that runs postfix and
> is part of the
> internal network. (Box B).
>
> Here's the setup.
>
> -------------
> | Internet |
> --------------
> |
> |
> | host: my.company.org
> ------------- Pub. IP: 219.21.114.33
> | Box A | runs bind, iptables, postfix
> -------------- Pri. IP: 192.168.0.1
> |
> |
> ------------- host: mx.my.company.org
> | Box B | runs postfix
> ------------- Pri. IP 192.168.0.3
>
> There is an mx entry in bind, in box A, which maps the IP address
> 219.21.114.34 to mx.my.company.org (Box B). Although Box B
> has no interface
> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B
> so that, when Box A receives a request for 219.21.114.34, it
> does a DNAT to
> 192.168.0.3. With this way, Box B can
> receive mails which it's supposed to receive.
>
> This is how it worked:
>
> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \
> -j DNAT --to 192.168.0.3
>
> Now, here's my problem:
>
> Since the internal network have their mail clients configured
> to use Box A
> as their smtp server, there should be a way
> for Box A to communicate with Box B using 219.21.114.34.
>
> I cannot use Box B's IP 192.168.0.3 since this would break
> bind. If I do
> this, mail from outside would not reach Box B.
> Since mx requests for mx.my.company.org would return
> 192.168.0.3 which is
> invalid within the internet.
>
> The only way to do this is for Box A to be able to DNAT to box B using
> locally generated connections (that is, connections that
> would be initiated
> by Box A's smtp server).
>
> The howto says that DNAT for locally generated packets is not
> possible in
> 2.4 kernels. Does this still hold true?
>
> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if
> connections originate
> from 219.21.114.33 (DNAT for locally generated packets)?
>
> This solution obviously does does not work:
>
> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to 192.168.0.3
>
> Any workarounds? Thanks!
>
> Thanks!
>
> Best Regards,
>
> Carlo
> ------
> Carlo Florendo
> Astra Philippines Inc.
> www.astra.ph
>
>
>
>
