Thanks a lot George. This postfix solution is new to me. I'll be trying it out in a few minutes. But is there any way to do this with iptables? (Just curious..) > ----- Original Message ----- > From: "George Vieira" > > > Oh OK.. sorry, must've skipped a line somewhere there.. > > OK, this is even simpler solution. Use sendmails "mailertable" or postfixs > "transport" to redirect the domain to a different IP.. > > mailertable use: > mx.my.company.org esmtp:[192.168.0.3] > > postfix use: > mx.my.company.org smtp:[192.168.0.3] > > this effects this server only and if mail is sent via sendmail.postfix > which > the domain MX is overriding the DNS.. > > this is a mail server resolution and not iptables if noone noticed.. ;P > > Thanks, > ____________________________________________ > George Vieira > Systems Manager > georgev@xxxxxxxxxxxxxxxxxxxxxx > > Citadel Computer Systems Pty Ltd > http://www.citadelcomputer.com.au > > Phone : +61 2 9955 2644 > HelpDesk: +61 2 9955 2698 > > >> -----Original Message----- >> From: Carlo Florendo [mailto:carlo@xxxxxxxxxxx] >> Sent: Friday, 17 October 2003 4:11 AM >> To: George Vieira; netfilter@xxxxxxxxxxxxxxxxxxx >> Subject: Re: local DNAT with bind,postfix,and iptables >> >> >> ----- Original Message ----- >> From: "George Vieira" >> >> > You must DNAT to the internal IP address which is what >> you've already done >> > for external to mx.<domain> and you must do the same for >> the internal >> > clients with once extra step, you must change the source >> like you do if >> > the >> > client were MASQUERADED to the outside world. My must treat the >> > mx.<domain> >> > as if it was outside too.. >> > >> > iptables -t nat -A PREROUTING -i <internal_iface> -d 219.21.114.34 \ >> > -j DNAT --to 192.168.0.3 >> > >> > # Masquerade the internal client so packets are forced back via the >> > firewall >> > iptables -t nat -A POSTROUTING -s <internal_subnet> -d 192.168.0.3 \ >> > -j SNAT --to 192.168.0.1 >> >> I'm sorry for not making myself very clear. You were the >> one actually who >> taught me how to do this bermuda triangle routing when I long >> ago posted a >> message "DNAT from an IP address that does not exist, etc..." :) >> >> This solution works if the smtp connection is initiated from >> any of the >> internal hosts but 192.168.0.1. In this case however, it is >> 192.168.0.1 >> that initiates the connection. >> >> The problem is that the smtp server (postfix) which the >> internal hosts use >> is 192.168.0.1. It is that smtp server which queries bind >> (DNS) for the mx >> entry (bind and postfix in the same machine). Since bind returns >> 210.21.114.34 when postfix queries for the mx entry, postfix tries to >> initiate a connection to 210.21.114.34. >> >> However, since 210.21.114.34 is actually 192.168.0.3, the >> smtp connection >> from 192.168.0.1 should be DNATted to 192.168.0.3. That is, machine >> 192.168.0.1, the same machine where iptables runs, should >> DNAT 210.21.114.34 >> to 192.168.0.3. >> >> In other words, if I do a telnet from 192.168.0.1 to port 25 of >> 210.21.114.34, there should be a connection. >> However, this does not happen. >> >> If I do a telnet to port 25 of 210.21.114.34 from any of the >> 192.168.0.0/24 >> machines in the internal network, with the exception of >> 192.168.0.1, I get a >> connection. Thanks to the solution you posted :) >> >> How is it possible to DNAT to 210.21.114.34 from 192.168.0.1 >> if iptables >> runs in 192.168.0.1 itself? >> >> Thanks so much! >> >> Best Regards, >> >> Carlo >> ------ >> Carlo Florendo >> Astra Philippines Inc. >> www.astra.ph >> >> >> >> >> >> Hello, >> >> >> >> I have a box which runs bind, postfix, and iptables. (Box A) >> >> This box has 2 interfaces. One facing the net and the other >> >> the internal >> >> network >> >> >> >> There's another box behind the firewall that runs postfix and >> >> is part of the >> >> internal network. (Box B). >> >> >> >> Here's the setup. >> >> >> >> ------------- >> >> | Internet | >> >> -------------- >> >> | >> >> | >> >> | host: my.company.org >> >> ------------- Pub. IP: 219.21.114.33 >> >> | Box A | runs bind, iptables, postfix >> >> -------------- Pri. IP: 192.168.0.1 >> >> | >> >> | >> >> ------------- host: mx.my.company.org >> >> | Box B | runs postfix >> >> ------------- Pri. IP 192.168.0.3 >> >> >> >> There is an mx entry in bind, in box A, which maps the IP address >> >> 219.21.114.34 to mx.my.company.org (Box B). Although Box B >> >> has no interface >> >> that listens as 219.21.114.34, I've done a DNAT from Box A to Box B >> >> so that, when Box A receives a request for 219.21.114.34, it >> >> does a DNAT to >> >> 192.168.0.3. With this way, Box B can >> >> receive mails which it's supposed to receive. >> >> >> >> This is how it worked: >> >> >> >> iptables -t nat -A PREROUTING -i <public_iface> -d 219.21.114.34 \ >> >> -j DNAT --to 192.168.0.3 >> >> >> >> Now, here's my problem: >> >> >> >> Since the internal network have their mail clients configured >> >> to use Box A >> >> as their smtp server, there should be a way >> >> for Box A to communicate with Box B using 219.21.114.34. >> >> >> >> I cannot use Box B's IP 192.168.0.3 since this would break >> >> bind. If I do >> >> this, mail from outside would not reach Box B. >> >> Since mx requests for mx.my.company.org would return >> >> 192.168.0.3 which is >> >> invalid within the internet. >> >> >> >> The only way to do this is for Box A to be able to DNAT to >> box B using >> >> locally generated connections (that is, connections that >> >> would be initiated >> >> by Box A's smtp server). >> >> >> >> The howto says that DNAT for locally generated packets is not >> >> possible in >> >> 2.4 kernels. Does this still hold true? >> >> >> >> Is it possible to DNAT 219.21.114.34 to 192.168.0.3 if >> >> connections originate >> >> from 219.21.114.33 (DNAT for locally generated packets)? >> >> >> >> This solution obviously does does not work: >> >> >> >> iptables -t nat -s 127.0.0.1 -d 219.21.114.34 -j DNAT --to >> 192.168.0.3
