help with iptables
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Mon Jan 22 15:22:08 UTC 2007
On Fri, Jan 19, 2007 at 10:56:03AM -0500, Dave Cramer wrote:
> Heres what I want to do
>
> I have a new mail spam filter machine I want to test before I change
> the mx records
>
>
> this machine I will call A receives mail and forwards it to B
>
> currently B is the MX
>
> So what I'd like to do is using iptables :
>
> route port 25 traffic currently going to B --> A except when it comes
> from A
>
> I tried
>
> iptables -t nat -A PREROUTING -p tcp -m tcp -s ! A --dport 25 -j DNAT
> --to-destination A
>
> but this didn't work
>
> suggestions ?
iptables -t nat -A PREROUTING -p tcp -m tcp -s ! AexternalIP --dport 25 -j DNAT --to-destination AinternalIP
You also need to change the source IP to be that of B's internal address
on those connections matching this rule so that the reply will go from A
to B and back to the original requestor. If A only has an internal IP
(I doubt it based on your description) and uses B as the default
gateway, then you only need a DNAT rule (since there is only an internal
IP to forward to, but that is not your setup at all I take it).
You could also do:
iptables -t nat -A PREROUTING -p tcp -m tcp -s ! AexternalIP --dport 25 -j DNAT --to-destination AexternalIP
along with a rule changing the sourceIP of the packet to that of B's
external IP. You must make the reply go back to B so that it can send
it back to the originator. This of course means all your logs on A will
say the message is coming from B, which really sucks.
Your line actually makes a connection show up on A that appears to come
from the original site, so A will reply to the original site, which has
no idea who A is or why A is sending it replies, since it was talking to
B. That doesn't work.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list