On Thursday 13 May 2004 1:46 pm, Gavin Hamill wrote:
This is just a final followup to say thanks for the advice, and to report on the final solution.
eth0 is the 0utside, and eth1 is the 1nside (that's what I use to stop confusing myself...) and 10.0.0.254 is the firewall and default gateway for all LAN machines
$ iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253 --dport 25 -j DNAT --to 10.0.0.253:25 $ iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.0/24 -d 10.0.0.253 --dport 25 -j SNAT --to 10.0.0.254
This way, LAN users trying to connect directly to an external mail server get sent to the MTA on 10.0.0.253, and 10.0.0.253 itself still has full access to 'real' port 25 in order that it can deliver mails! :)
Gavin:
Why would your LAN users ever need to send SMTP to anywhere other than your MTA? With the above rules aren't you allowing an 1nside (I like that 0 1 idea!) computer, infected with a worm to propagate the virus?
I apologize if I missed something in your original post that explains this.
--Micha
Cheers, Gavin.
I'd just like to say that it's very nice to see a posting like this here, showing the working solution (together with an explanation of why it works, and exactly what it does), since this sort of thing is very useful to people searching the archives in future.
Find a working solution which someone has bothered to document is much more helpful than finding someone with a similar problem, and having to go through half the same effort of solving it, so thanks Gavin for providing this info.
Regards,
Antony.
