[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Forward the smtp packages to another IP on another debian box.

Hi Patrik
I'm not sure why you have 2 gateways at your local site, why cant you have one router that handles both connections?
$IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to $DEBBY_LAN:$SMTPPORT 

basically how nat works is
a > nat > b
when a talks to b through nat, the nat box changes the source address from a to itself, then b responds to the nat box, the nat box remembers this connection and forwards it on to a
i'm not sure what you are trying to do with that config but i think you want it so when a packet comes in it changes the source address to the 2nd gateway which then would send it out on the 2nd gateway
this will not work. to achieve what you want you will need your main router (the one that is the workstations default gateway) to have multiple routing tables and use routing rules to send smtp traffic out the 2nd connection 




Patrik Hasibuan wrote:

Dear my friends,

I am now building 2 internet gateways.

I distribute the jobload based on the port number. For the first step, I do so:
- pop3 will do outgoing and ingoing through gateway1 whose IP 192.168.23.9 (int net interface) and 202.155.0.179 (ext net interface);
- smtp will do outgoing and ingoing through gateway2 whose IP 192.168.23.2 (int net interface) and 202.155.0.180 (ext net interface).

The default gateway what defined on the workstations is "192.168.23.9".

The POP3 and SMTP servers are provided by my webhosting (yahoo.com). They are: ' pop.bizmail.yahoo.com ' and ' smtp.bizmail.yahoo.com '.

But it does not work as I expect. I have tested on '192.168.23.2" by sending an email from that debby-box and it succeed it.

Where are my mistakes?

Thank you very much in advance.

This is my script.

#!/bin/bash
###############################################################
# Adding default gateway
#/sbin/route add default gateway 202.155.0.177

###############################################################
# Initialize some parameter
INET_INTERFACE="eth0"
LAN_INTERFACE="eth1"
LOOPBACK_INTERFACE="lo"

IPT="/usr/sbin/iptables"
INET_ADDR="202.155.0.179"
DEBBY_LAN="192.168.23.2"
LAN_ADDR="192.168.23.9"
LAN_ADDRESSES="192.168.23.0/24"  # LAN Addresses range
LAN_DNS="192.168.23.9"    # Please specify your DNS server in LAN

POP3PORT="110"
SMTPPORT="25"
DNSPORT="53"
UNPRIVPORTS="1024:65535"  # unprivileged port range

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $f
done

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
   echo 0 > $f
done

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
done

for f in /proc/sys/net/ipv4/conf/*/log_martians; do
   echo 0 > $f
done

$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]; then
echo "Firewall completely stopped!  WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit
fi

$IPT -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  DROP
$IPT --policy FORWARD DROP

$IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to $DEBBY_LAN:$SMTPPORT

$IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -j SNAT --to-source $INET_ADDR
$IPT -t nat -A POSTROUTING -p udp -o $INET_INTERFACE -j SNAT --to-source $INET_ADDR

$IPT -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT

$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $POP3PORT -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $POP3PORT -m state --state NEW -j ACCEPT


      Selalu bisa chat di profil jaringan, blog, atau situs web pribadi! Yahoo! memungkinkan Anda selalu bisa chat melalui Pingbox. Coba! http://id.messenger.yahoo.com/pingbox/
Reply to: