On Wed, 12 Oct 2005, Stephen Satchell wrote:
IPTABLES TO THE RESCUE! In each of the 31 servers, put a set of firewall
rules to DNAT up to 200 IP addresses to the gateway server, let the TCP
communications on port 25 (and other well-known mail ports) happen, and put a
back-channel using another port for mail that needs to go to that server for
storage, future pick-up, forwarding, list explosion, and autoresponder
processing.
I can't get it to work.
Do I understand you correctly that you DNAT on the servers themselves and
not on a firewall infront of them?
To DNAT in a one-legged setup you need to be very careful. Return traffic
also has to go via the DNAT point.
The simplest way is to also SNAT the traffic to the servers own IP address
but this has the drawback that the original client IP is lost.
The more advanced method is to DNAT to a "gateway server" private IP
address unique for this specific server (private == only used for the
DNAT between this server and the "gateway"), and on the "gateway server"
use policy routing to route traffic from that private IP back to the
correct server who DNAT:ed the traffic.
Regards
Henrik
