-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 06:26, Hanasaki JiJi wrote: > been trying to get the following to work for sometime.... input is most > appreciated > > > internet <=25= firewall iptablerule =port#x=> internalSMTPhost > > how can the firewall be told to: > take all incoming tcp port 25 traffic and send it to > smtp host on port X
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination \ $SMTP_HOST:$port Remember that if you want to apply filters in a Destination "Nated" port you have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if you have DROP as default policy in the FORWARD hook DNAT won't work untill you ACCEPT in FORWARD conections destinated to these DNATed ports. > > take all outgoing traffice from smtphost <port25only> > and send it out to the internet on port 25 iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \ - --to INTERNET This rule is not exactly what you asked for but you have to take care not only of SMTP traffic, SMTP server also need to perform lookups to DNS servers ( yes, you can assing a local one... ). Anyway if you need/want only SMTP conections to be "Nated" you can define the destination port ( 25 ) ( add --dport 25 to the nat rule ) better than source port ( even if you know for sure that SMTP conections are only established from this port ) ( Someone in the SMTP host could connect to any host at any port using 25 as source tcp port, if you define a destination port this kind of malicious conections are disallowed ) but you can also especified a source port ( --sport 25 ) iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \ - --to INTERNET:25 --dport 25 --sport 25 > > Thank you. Kind Regards Victor -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+eFgREzqHF8R72ekRAr0HAJsHIicvX0bh1MzNVEMgFY2ckCKwBwCfU7id aL55zOh9Gnn0JSOmI7u4xPM= =NXdQ -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
