If the internal IP addresses aren't consecutive, you could try the one-two
punch:
mangle:
#ACTION SOURCE DEST PROTO DPORT
MARK($EMAIL1_MARK/$CONNMASK):P $FILTER_PROVIDER - tcp 25465
{ state=NEW }
MARK($EMAIL2_MARK/$CONNMASK):P $FILTER_PROVIDER - tcp 25465
{ state=NEW probability=.5 }
rules:
#ACTION SOURCE DEST PROTO DPORT
DNAT Dirty:$FILTER_PROVIDER CEM01:10.0.69.5 tcp 25465 { origdest=$OUR_PUB
mark=$EMAIL1_MARK/$CONNMASK }
DNAT Dirty:$FILTER_PROVIDER CEM01:10.0.69.7 tcp
25465 { origdest=$OUR_PUB }
This will send half (*probability=.5*) the mail to 10.0.69.5 and the rest to
10.0.96.7. Substitute your values for the
variables above.
Bill
On 6/26/2020 4:42 PM, Tom Eastep wrote:
On 6/26/20 10:06 AM, Norman Henderson wrote:
Hello! We have an external IP on a gateway server outside the
organization that receives SMTP Email from a spam filter provider, and
forwards it to an internal server over VPN using DNAT:
DNAT Dirty:<our spam filter provider IP> CEM01:10.0.69.5 tcp
25,465 - <our public IP that is allowed to receive from the spam
filter provider>
The thing is that we now have two internal Email servers. Inside the
organization, DNS round-robin takes care of ensuring client access to
whichever server is available.
Is there any way to DNAT to two different internal IP addresses? Or how
should I approach this?
If the internal IP addresses are consecutive, you can specify
<ip1>-<ip2> as the server ip address in the DEST column.
-Tom
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
