Hello, Robert LeBlanc a écrit :
I'm having problems with my e-mail server saying that every connection originates from the NAT box. I checked it on my other linux server and sure enough even though I have 1:1 DNAT and a reverse SNAT configured, packets destined for my server show the NAT box as the source. How do you configure DNAT so that it keeps the original Internet address and does not mangle it, only the destination address to my server on a private subnet?
DNAT never mangles the source address in the PREROUTING chain. DNAT can mangle the source address only in the OUTPUT chain to match the new output interface.
iptables -t nat -A PREROUTING -d 1.1.1.4 -j DNAT --to-destination 192.168.2.10 iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to-source 1.1.1.4 So the gateway's public address is 1.1.1.1 and the e-mail server is 1.1.1.4. The e-mail logs and ssh logins all show that every connection is made from 1.1.1.1 even though the connections are made from the Internet.
I bet that is the result of another SNAT rule, maybe the one used to masquerade the private subnet on internet which matches more than it should. For instance you have :
iptables -t nat -A POSTROUTING -j SNAT --to 1.1.1.1 when you need : iptables -t nat -A POSTROUTING -o <public_interface> -s 192.168.2.0/24 \ -j SNAT --to 1.1.1.1
