help with iptables

[Lennart Sorensen]

On Fri, Jan 19, 2007 at 10:56:03AM -0500, Dave Cramer wrote:
> Heres what I want to do
> 
> I have a new mail spam filter machine I want to test before I change  
> the mx records
> 
> 
> this machine I will call A receives mail and forwards it to B
> 
> currently B is the MX
> 
> So what I'd like to do is  using iptables :
> 
> route port 25 traffic currently going to B --> A except when it comes  
> from A
> 
> I tried
> 
> iptables -t nat -A PREROUTING -p tcp -m tcp -s ! A --dport 25 -j DNAT  
> --to-destination A
> 
> but this didn't work
> 
> suggestions ?

iptables -t nat -A PREROUTING -p tcp -m tcp -s ! AexternalIP --dport 25 -j DNAT  --to-destination AinternalIP
You also need to change the source IP to be that of B's internal address
on those connections matching this rule so that the reply will go from A
to B and back to the original requestor.  If A only has an internal IP
(I doubt it based on your description) and uses B as the default
gateway, then you only need a DNAT rule (since there is only an internal
IP to forward to, but that is not your setup at all I take it). 

You could also do:
iptables -t nat -A PREROUTING -p tcp -m tcp -s ! AexternalIP --dport 25 -j DNAT  --to-destination AexternalIP
along with a rule changing the sourceIP of the packet to that of B's
external IP.  You must make the reply go back to B so that it can send
it back to the originator.  This of course means all your logs on A will
say the message is coming from B, which really sucks.

Your line actually makes a connection show up on A that appears to come
from the original site, so A will reply to the original site, which has
no idea who A is or why A is sending it replies, since it was talking to
B.  That doesn't work.

--
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists