Re: firewall rules for NAT

[Igor Cicimov <icicimov@gmail.com>]

On 1 Jul 2017 7:31 pm, "Pascal Hambourg" <pascal@plouf.fr.eu.org> wrote:

Le 01/07/2017 à 03:25, Igor Cicimov a écrit :

You know what, i just checked the iptables rules the op sent again and
realized this:

-A POSTROUTING -d 10.7.33.109/32 <http://10.7.33.109/32> -p tcp -m tcp

--dport 25 -j SNAT --to-source 10.7.33.100

is NOT how you would do SNAT with DNAT, you normally would need:

A POSTROUTING -s 10.7.33.109/32 <http://10.7.33.109/32> -p tcp -m tcp -
-j SNAT --to-source 10.7.33.100

These two rules do not have the same purpose at all.

The OP's rule applies to incoming SMTP connections forwarded to the server, in order to workaround the routing flaw (wrong gateway).

Your rule applies to outgoing connexions from the server,

so 1) is useless for incoming connections

That's my point, i misread his rule and thought it was the one I posted.

and 2) would be ignored in the original setup because the server did not use the router as its default gateway.

Yep, but not if the source ip was being changed to the one of the router in which case the reply would not go to the dgw.

PS. Igor, the plain text version of your posts does not properly mark the quoted text from the message you reply to : it appears as if it was your text, without any quotation marks.