Re: iptables help to forward ports please
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 20 March 2003 06:26, Hanasaki JiJi wrote:
> been trying to get the following to work for sometime.... input is most
> appreciated
>
>
> internet <=25= firewall iptablerule =port#x=> internalSMTPhost
>
> how can the firewall be told to:
> take all incoming tcp port 25 traffic and send it to
> smtp host on port X
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination \
$SMTP_HOST:$port
Remember that if you want to apply filters in a Destination "Nated" port you
have to do it in the FORWARD hook ( not in the INPUT hook as usual ), so if
you have DROP as default policy in the FORWARD hook DNAT won't work untill
you ACCEPT in FORWARD conections destinated to these DNATed ports.
>
> take all outgoing traffice from smtphost <port25only>
> and send it out to the internet on port 25
iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \
- --to INTERNET
This rule is not exactly what you asked for but you have to take care not only
of SMTP traffic, SMTP server also need to perform lookups to DNS servers (
yes, you can assing a local one... ).
Anyway if you need/want only SMTP conections to be "Nated" you can define the
destination port ( 25 ) ( add --dport 25 to the nat rule ) better than source
port ( even if you know for sure that SMTP conections are only established
from this port ) ( Someone in the SMTP host could connect to any host at any
port using 25 as source tcp port, if you define a destination port this kind
of malicious conections are disallowed ) but you can also especified a source
port ( --sport 25 )
iptables -t nat -A POSTROUTING -p tcp -s $SMTP_HOST -j SNAT \
- --to INTERNET:25 --dport 25 --sport 25
>
> Thank you.
Kind Regards
Victor
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE+eFgREzqHF8R72ekRAr0HAJsHIicvX0bh1MzNVEMgFY2ckCKwBwCfU7id
aL55zOh9Gnn0JSOmI7u4xPM=
=NXdQ
-----END PGP SIGNATURE-----
Reply to: