On Thu, Apr 29, 2004 at 11:37:57PM +1000, Alexander Samad told us: > On Thu, Apr 29, 2004 at 10:59:49AM +0100, Gavin Hamill wrote: > > Hullo :) > > > > I'd like to do $SUBJECT, but after much playing with commands like > > > > iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to 10.0.0.253:25 > > what about > > iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253 --dport 25 -j DNAT --to 10.0.0.253:25 > > I presume 10.0.0.253 is also on eth1. > The problem here might be that both the client and the server are on the same physical network. This means So assume we have a client (10.0.0.1) which wants to connect to a mail server (12.34.56.78) on the internet. So you DNAT the request to your internal mail server 10.0.0.253 at the firewall. Your internal mail server gets the request but will try to directly talk to the client, as in the packet the sender is still the original ip adress. (sorry if this is hard to understand, I'm not really good in explaining things :) So you will additionally need a SNAT rule on your firewall, something like iptables -t nat -A POSTROUTING -p tcp -i eth1 -s 10.0.0.0/8 \ -d 10.0.0.253 --dport 25 -j SNAT --to 10.0.0.xx:25 where xx would be the ip of your firewall. Now both the packets from the client to the server and the returning packets from the server to the client will travel through your firewall. HTH Sven > > > > > I have given up and have come to you fine people for help... > > > > My LAN is on eth1, with WAN on eth0. The gateway machine is 10.0.0.254 doing masq for > > LAN clients, but I'd like to send any outgoing SMTP connections to 10.0.0.253 - alas > > any time I've tried, I just end up killing ALL outgoing SMTP :( > > > > Any suggestions warmly received! > > > > Cheers, > > Gavin. > > > > -- Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux 16:37:12 up 8 days, 21:26, 1 user, load average: 0.01, 0.01, 0.00
Attachment:
pgp00860.pgp
Description: PGP signature
