John Madden a écrit :
If traffic does not flow without it, it could mean that the mail server
does not send the reply traffic back to the NAT box. This is a routing
problem. Does the mail server use the NAT box as its default gateway ?
Ah, now we're getting somewhere. No, the mail server doesn't use the
NAT box as it's default gateway, it's using a general default route
somewhere else in the network for it. The NAT box and the mail server
are on different VLAN's, but that's about all that separates them --
Do you mean that they are in different subnets ?
both have globally routable IP's.
Private/public addressing does not matter here. You can have public
addresses behind a NAT box, although it may sound unusual (NAT is mostly
used to hide private addressing when you don't have enough public
addresses). The important word is "behind", meaning that traffic in both
directions flows through the NAT box. This is important because the NAT
box changed the source and/or destination address on the original
traffic, so it must put it back on the reply traffic in order for the
client to accept it as a reply. It's not the SNAT rule which puts the
original address back, it only makes the server see the NAT box as the
client and send the reply traffic back to it. But the drawback is that
the server does not see the real client source address.
Without SNAT, the mail server could use the NAT box as a gateway at
least for SMTP reply traffic (this could be done with advanced routing
if the mail server runs Linux) if they are in the same subnet or if a
tunnel can be established directly between them.
I'm literally just trying to emulate the functionality of LVS here,
where port 80 on an IP goes to one machine and port 25 goes somewhere
else.
Sorry, I do not know how LVS works. I just know how Netfilter NAT works.
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
