Hello,
I'm trying to redirect all SMTP-connections to one external host to
another external host. Both these exists on the same subnet which, if
I've understood it correctly, equals to trouble. ;)
So, reading through the NAT HOWTO and lots of questions to this list
I've tried most of things but unfortunate it doesn't work.
For testing purposes I use port 2525 on first host before taking the
mail-service on that host down permanent.
This is todays situation; trying to redirect ...13:2525 to ...16:25.
[ net ]
´ `
111.222.333.13 111.222.333.16
These are external IP's, there's no internal network.
I'm currently using Debian Woody (iptables v1.2.6a) with a freshly
compiled kernel 2.4.18 with NAT support.
The rules I think is the onces that *should* work is these:
## Change destination addresses of mail traffic to 111.222.333.16, port 25.
iptables -t nat -A PREROUTING -p tcp --dport 2525 -i eth0 \
-j DNAT --to 111.222.333.16:25
## Destination NAT Onto the Same Network
iptables -t nat -A POSTROUTING -d 111.222.333.13 -s 0.0.0.0/0 \
-p tcp --dport 2525 -j SNAT --to 111.222.333.16
These are also the only rules that currently exists on the machine. If I
then use these and connect from the subnet 111.222.333.0/24 the SNAT
packet counter increases, connecting from another subnet increases the
DNAT counter.
Tracing these with tcpdump shows this output:
[ 111.222.333.13 / mail1.myhostname.com ]
03:04:43.451436 externalhost.com.35736 > mail1.myhostname.com.333.222.111.in-addr.arpa.2525: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
03:04:43.451538 externalhost.com.35736 > mail2.myhostname.com.smtp: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
[...]
[ 111.222.333.16 / mail2.myhostname.com ]
04:44:46.087439 externalhost.com.35735 > mail2.myhostname.com.smtp: S 654494669:654494669(0) win 5840 <mss 1460,sackOK,timestamp 961920329 0,nop,wscale 0> (DF) [tos 0x60]
04:44:46.087480 mail2.myhostname.com.smtp > externalhost.com.35735: S 2345893112:2345893112(0) ack 654494670 win 5792 <mss 1460,sackOK,timestamp 124930458 961920329,nop,wscale 0> (DF)
04:44:46.087705 externalhost.com.35735 > mail2.myhostname.com.smtp: R 654494670:654494670(0) win 32120 [tos 0x60]
04:44:46.087923 111.222.333.1 > mail2.myhostname.com: icmp: redirect myexternalhost.com to host 111.222.333.18
[...]
I don't know why it says icmp: redirect to a host with .18, that's not a
host I know of. Anyway, this is what my iptables -L -v -n -t nat says:
Chain PREROUTING (policy ACCEPT 17228 packets, 677K bytes)
pkts bytes target prot opt in out source destination
3 180 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2525 to:111.222.333.16:25
Chain POSTROUTING (policy ACCEPT 2106 packets, 132K bytes)
pkts bytes target prot opt in out source destination
1 60 SNAT tcp -- * * 0.0.0.0/0 111.222.333.13 tcp dpt:2525 to:111.222.333.16
Chain OUTPUT (policy ACCEPT 2081 packets, 131K bytes)
pkts bytes target prot opt in out source destination
Any ideas, what so ever, will be glady recieved!
Thanks in advance,
Örjan
