On 5/5/05, Jason Opperisano <opie@xxxxxxxxxxx> wrote: > <--snip crazy routing stuff--> > > sounds like you want 1-to-1 NAT for the mail server, which takes 2 NAT > rules (one for connections initiated *to* the mailserver, and one for > connections initiated *from* the mailserver): > > iptables -t nat -A PREROUTING -i eth0 -d 217.154.55.250 \ > -j DNAT --to-destination $MAILSRV_PRIV_IP That I have working fine. > > iptables -t nat -A POSTROUTING -o eth0 -s $MAILSRV_PRIV_IP \ > -j SNAT --to-source 217.154.55.250 Ah - tried this: iptables -t nat -A POSTROUTING -o eth0 -s 192.168.254.2 -p tcp --dport 25 -j SNAT --to-source 217.154.55.250 Or variants there off. No Joy... I could scream...... Anyone any ideas Greg mail.e-dba.net = 192.168.254.3 the DMZ / private address $ iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere mail.e-dba.net tcp dpt:smtp to:192.168.254.2 Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.0.0/16 anywhere SNAT tcp -- mail.e-dba.net anywhere to:217.154.55.250 Chain OUTPUT (policy ACCEPT) target prot opt source destination > > sounds like you already have the 1st rule in place. make sure the 2nd > rule comes *before* any outbound SNAT/MASQ rule that is less specific. > > -j
