On Wed, 19 Mar 2003, Victor Calzado Mayo wrote: > > internet <=25= firewall iptablerule =port#x=> internalSMTPhost > > > > how can the firewall be told to: > > take all incoming tcp port 25 traffic and send it to > > smtp host on port X
> iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination \ > $SMTP_HOST:$port > > Remember that if you want to apply filters in a Destination "Nated" port you > have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if > you have DROP as default policy in the FORWARD hook DNAT won't work untill > you ACCEPT in FORWARD conections destinated to these DNATed ports. It's also worth knowing that this filtering must be based on the _real_ address of the receiving host and not the public, visible address. After Victor's example: iptables -A FORWARD -s $SMTP_HOST -p tcp --dport $port -j ACCEPT Also, the firewall performing the DNAT must react to ARP requests for the "virtual" (public, whatever) IP address. Unless this is also the firewall's primary address, I've cared for this by assigning it as an ip alias, ie. ip addr add local $SMTP_HOST/$CIDR_NETMASK broadcast + dev ethXX The ethXXX must of course be on the proper subnet where the traffic comes from; the "outer edge" typically. I'm not sure but I think you also need to SNAT the reply packets that are assicoated with the connections that the above rules allow. Maybe connection tracking does this automatically, though. The rule would be something like this, but I'd experiment without it first: iptables -t nat -A POSTROUTING -s $SMTP_HOST -j SNAT \ --to-source $PUBLIC_ADDR -- pp / [EMAIL PROTECTED] / [EMAIL PROTECTED] / 040-532 95 80 / +358-40-532 95 80