[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Theo Zourzouvillys wrote:
so this is how it's done in 2.4... you are best to use destination NAT'ting, whih alters the dst header and send it out on another interface.
Another interface - no this is definitely for one IP address systems - I have plenty of interfaces and only the Internet one routes to 5.6.7.8
using DNAT would not change the source addrss, only the destination, so it would go 6.6.6.6:1025 in eth0 -> 1.2.3.4:25 6.6.6.6:1025 out eth1 [1] -> 5.6.7.8:25 then 5.6.7.8:25 in eth1 -> 6.6.6.6:1025 5.6.7.8:25 out eth0 -> 6.6.6.6:1025
So that assumes the route from 5.6.7.8 is via eth1 ?! That could be a problem. 5.6.7.8 is outside my routing domain, so I can't send packets to it claiming to be from 6.6.6.6 as that would be filtered by all good ISPs.
so that translates in iptables to: iptables -t nat -I PREROUTING -s 6.6.6.6 -d 1.2.3.4 -i eth0 -p tcp --dport 25 - -j DNAT --to-destination 5.6.7.8:25 any other connections will just fall through, and end up on 1.2.3.4's MTA. hope i understood the question right ;)
I think so - I guess opting to become a man in the middle is a bit weird, perhaps I better check out SMTP proxies since it is only email I am interested in personally, not the general case. I'm fairly sure one of the switch vendors does exactly what I want in it's NAT, as I'm sure I remember a "one armed" load balancing design from either Extreme or Foundary (not that I have either of those to play with in this case).
[1] - now the problem here is netfilet can't currently NAT local to/from local src/dst. there is a patch in the pom (pathch-o-matic) called IP_CONNTRACK_LOCAL that allows this, and it's already in the 2.4.19-pre iirc. whne you build your kernel, cd into the iptables source and type "./pom newnat".
Hmm - lost me does that solve either of the issues mentioned? -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.