On Saturday 08 May 2004 11:44 am, Różański Sergiusz wrote:
> > iptables -A POSTROUTING -t nat -p tcp --dport 2525 -j SNAT --to $extIF:25
> >
> > Is that what you wanted?
>
> no, no, this change _source_ port, I need target 'SNAT' and change
> _destination_ port. PC from internal network may connect to ANY smtp
> server in the world (not local smarthost), but must manualy setup
> other port. Examples:
>
> A. Internal network Outlook (192.168.0.5 via Linux 1.2.3.4):
> setup smtp server: 195.205.84.133 port 2525
> - Connection LAN:
> 192.168.0.5:1024 -> 195.205.84.133:2525
> - SNAT+DNAT/PORT Internet:
> 1.2.3.4:65000 -> 195.205.84.133:25
>
> B. Internal network WORM (192.168.0.5 via Linux 1.2.3.4):
> smtp server: 195.205.84.133 port 25
> - Connection LAN:
> 192.168.0.5:1024 -> 195.205.84.133:25
> - DROP
Oh, I see - neat trick :)
Try this:
iptables -A PREROUTING -t nat -p tcp --dport 25 -j DROP
iptables -A PREROUTING -t nat -p tcp --dport 2525 -j DNAT --to :25
I generally advise people *not* to put DROP rules in the nat table, however
here you have an exception which merits this. If you prefer not to do that,
and would like to DROP packets in FORWARD instead, try this:
iptables -A PREROUTING -t mangle -p tcp --dport 25 -j MARK --set-mark 1
iptables -A PREROUTING -t nat -p tcp --dport 2525 -j DNAT --to :25
iptables -A FORWARD -m mark --mark 1 -j DROP
Regards,
Antony.
--
I think, therefore I am.
I'm pink, therefore I'm Spam.
I drink, therefore I think I am.
Please reply to the list;
please don't CC me.
