Hi Danila, there are some error in your rules,
first i'll correct them, then i'll tell you about using names
I know the rules were wrong ... i was in a rush
... u are right, but i was trying to do something else. I will give my setup
just to see what i was asking :
internet ---> public ip eth0 eth1 private ip
--> mail.server1.com private ip eth0 eth1 private ip --->
lan
--> mail.server2.com private ip eth0 eth1 private ip --->
lan
--> mail.server3.com
private ip eth0 eth1 private ip ---> lan
The problem is that i have 3 names on the same
public IP and i want to send mail traffic to those servers which have private
ips.
I don't want to use smtp on the router with
public ip , just redirrect name based to the machines behind
accordingly.
thank you very much for your help,
Danila Octavian
----- Original Message -----
Sent: Monday, July 26, 2004 11:40
AM
Subject: Hostname with DNAT ?
{OK}
hello,
I was wondering if you can guide me how to deal
with my situation :
I want to do something like :
read carefully this
rule:
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp
-d mail.server1.com --dport 25 -j DNAT --to 192.168.14.254:25
From now on, when the
packet arrives the FORWARD chain of the filter table, it is not
destinated to mail.server1.com anymore, since you have just changed its destination IP with the
rule above. it is destined to 192.168.14.254.
the '-d IP' in the rule
bellow is wrong:
$IPTABLES -A FORWARD -i eth0 -p tcp
-d mail1.server.com --dport 25 -j ACCEPT
You should write
instead:
$IPTABLES -A FORWARD -i eth0 -p
tcp -d 192.168.14.254 --dport 25 -j ACCEPT
did you got it?
This applies for all these rules
bellow:
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp
-d mail.server2.com --dport 25 -j DNAT --to 192.168.14.251:25
$IPTABLES
-A FORWARD -i eth0 -p tcp -d mail.server2.com(wrong) --dport 25 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp
-d server3.com --dport 25 -j DNAT --to 192.168.14.253:25
$IPTABLES -A
FORWARD -i eth0 -p tcp -d server3.com(wrong)
--dport 25 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp -d
mail.server3.com --dport 25 -j DNAT --to 192.168.14.253:25
$IPTABLES -A
FORWARD -i eth0 -p tcp -d mail.server3.com(wrong)
--dport 25 -j ACCEPT
Is posibble to use names instead of IP like in
my situation ?
Yes, it is *possible*. It
depends of whether your firewall can access the DNS server when it is
loading those rules.
In my firewall, when it is
loading the PREROUTING rules, it didn't load the INPUT and OUTPUT rules yet,
so it is not permitted to send nor receive any packet, so it can't contact
the DNS server to resolve names.
In my firewall I just load the
FORWARD rules after i have loaded the INPUT and OUTPUT chains, so my
firewall already can access the DNS server.
hope it helps,
bruno
--
This message has been scanned
for viruses and
dangerous content, and is believed to be clean.
Service.Agress.Ro E-Mail Scanning
Service.
