On Friday 12 March 2004 10:03 am, peter.gehle@xxxxxxxxx wrote:
> Try this:
>
> LAN_IP=$(ifconfig eth1|head -n 2|tail -n 1|cut -d: -f2|cut -d" " -f1)
A simpler version is `ifconfig eth1|grep inet|tr -s ': ' '\t'|cut -f4`
> iptables -t nat -A PREROUTING -i *EXT-NIC* -p tcp --dport 25 -j DNAT
> --to_destination *POSTFIX-IP*
> iptables -t nat -A POSTROUTING -o *INT-NIC* -p tcp --dport 25 -j SNAT
> --to-source $LAN_IP
Why include this rule? It will make all email received by the Postfix
machine appear to come from the Firewall, not the real IP address of the
sending server. This will make anti-spam measures more difficult / less
effective.
> iptables -A FORWARD -i *EXT-NIC* -m state --state NEW -p tcp -d *POSTFIX-IP*
> --dport 25 -j ACCEPT
What about NEW packets from inside to outside (eg delivering mail to the
Internet?)
Also don't forget that a mail server is likely to want to do things like DNS
lookups.
Regards,
Antony.
--
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work
for you.
Please reply to the list;
please don't CC me.
