----- Original Message -----
Sent: Monday, July 26, 2004 11:40
AM
Subject: Hostname with DNAT ? {OK}
hello,
I was wondering if you can guide me how to deal
with my situation :
I want to do something like :
read carefully this
rule:
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d
mail.server1.com --dport 25 -j DNAT --to 192.168.14.254:25
From now on, when the packet
arrives the FORWARD chain of the filter table, it is not destinated to
mail.server1.com anymore, since you have just changed its destination IP with the rule above. it
is destined to 192.168.14.254.
the '-d IP' in the rule
bellow is wrong:
$IPTABLES -A FORWARD -i eth0 -p tcp
-d mail1.server.com --dport 25 -j ACCEPT
You should write
instead:
$IPTABLES -A FORWARD -i eth0 -p tcp
-d 192.168.14.254 --dport 25 -j ACCEPT
did you got it?
This applies for all these rules
bellow:
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d
mail.server2.com --dport 25 -j DNAT --to 192.168.14.251:25
$IPTABLES -A
FORWARD -i eth0 -p tcp -d mail.server2.com(wrong) --dport 25 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d
server3.com --dport 25 -j DNAT --to 192.168.14.253:25
$IPTABLES -A FORWARD
-i eth0 -p tcp -d server3.com(wrong) --dport 25 -j
ACCEPT
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d mail.server3.com
--dport 25 -j DNAT --to 192.168.14.253:25
$IPTABLES -A FORWARD -i eth0 -p
tcp -d mail.server3.com(wrong) --dport 25 -j
ACCEPT
Is posibble to use names instead of IP like in my
situation ?
Yes, it is *possible*. It
depends of whether your firewall can access the DNS server when it is
loading those rules.
In my firewall, when it is loading
the PREROUTING rules, it didn't load the INPUT and OUTPUT rules yet, so it is
not permitted to send nor receive any packet, so it can't contact the DNS
server to resolve names.
In my firewall I just load the
FORWARD rules after i have loaded the INPUT and OUTPUT chains, so my firewall
already can access the DNS server.
hope it helps,
bruno
