Re: iptables, DNAT, and SMTP

---

• From: Pascal Hambourg <boite-a-spam@xxxxxxxxxxxxxxx>
• Date: Sun, 11 Mar 2007 19:55:27 +0100

---

Brandon a écrit :

What is the problem ? In other words, what is the result that you
observe instead of what you expected ?

What I'm observing are failed connections to xxx.184.64.3 when the
rules are in place.

How exactly do connections fail ? Are they immediately rejected or do they hang until they eventually time out ? Did you sniff traffic on the client, the mail server and the barracuda to watch what's going on ?

Assuming that the rule is on the mail server, what about theses rules :

iptables -t nat -A PREROUTING -i eth0 -s ! xx.xx.65.15 -d xx.xx.64.3 \
-p tcp --dport 25 -j DNAT --to-destination xx.xx.65.15
iptables -t nat -A POSTROUTING -o eth0 -s ! xx.xx.64.3 -d xx.xx.65.15 \
-p tcp --dport 25 -j SNAT --to-source xx.xx.64.3

This produces the same results as what I had before. When these rules
are in place, connections to xxx.184.64.3 act as if there is nothing
listening on port 25.

When nothing listens on a TCP port (port closed), connection attempts are immediately rejected. Is this what happens ? Do you see the packet count increment for the rules in the output of iptables-save -t nat -c ?

Be aware that if this solves the problem it does not mean that it is an
adequate solution. The SNAT rule hides the real source address from the
Barracuda, and this may be a problem.

This will be a huge problem. I need the packets to look as though they
came from their original source and not from the mail server. Is this
possible with what I'm trying to do, or am I out of luck?

Actually the SNAT rule is just an easy way to make the barracuda's replies go back to the NATing box (mail server) without using special routing tricks. But it's fine if you can route the barracuda's replies to the mail server without SNAT.
.

---

• References:
  • iptables, DNAT, and SMTP
    • From: Brandon
  • Re: iptables, DNAT, and SMTP
    • From: Clifford Kite
  • Re: iptables, DNAT, and SMTP
    • From: Pascal Hambourg
  • Re: iptables, DNAT, and SMTP
    • From: Brandon
  • Re: iptables, DNAT, and SMTP
    • From: Pascal Hambourg
  • Re: iptables, DNAT, and SMTP
    • From: Brandon

• Prev by Date: Re: Linking two LANs with 802.11n?
• Next by Date: Re: Linking two LANs with 802.11n?
• Previous by thread: Re: iptables, DNAT, and SMTP
• Next by thread: My Linux Page
• Index(es):
  • Date
  • Thread

---

Relevant Pages Port 25 closing? ... connections to our mail server via port 25. ... port 25 (it can still RECEIVE e-mail since that goes over secure IMAP ... I can log onto the firewall, ... (Fedora) Re: ISP blocking smtp port and a way how to solve the issue ... directly connected email client failed to send email thru port 25. ... >>arrived at port 25 regardless whehter the firewall at the mail server is ... They may not be blocking outbound connections for what it's worth. ... (comp.unix.bsd.freebsd.misc) Re: ISP blocking smtp port and a way how to solve the issue ... directly connected email client failed to send email thru port 25. ... > arrived at port 25 regardless whehter the firewall at the mail server is ... They may not be blocking outbound connections for what it's worth. ... (comp.unix.bsd.freebsd.misc) Re: Port 25 closing? ... > connections to our mail server via port 25. ... I can log onto the firewall, ... (Fedora) Re: Need help with bandwidth management . . . ... also be a good time to separate the wired from the wireless parts of ... wired connections. ... QoS lan port settings, and I cannot get anything consistent. ... switch ports and limit the bandwidth per port (the settings are ... (alt.internet.wireless)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)