@ john et al ei tnx guys i tried john's syntax and it work :) @peter anyway the second one(where the snat is) why i put it in the script because i thought i need to send back the packets to the firewall so the firewall will send it back to the sender. But when i tired john's syntax it sends back without the snat syntax. why is that? On 5/19/05, Peter Farrow <peter at farrows.org> wrote: > If you are doing it like this as you have indicated, > > iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT > --to-destination 10.0.0.1 > > iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx > > > Then thats why your mail server logs the ip address of the firewall.... > because of the POSTROUTING line above and the fact that you DNAT'ed to > an ipaddress that you then SNAT'ed out onto the LAN. > > Its no problem and expected that your mail server has a different IP to > your firewall, in this case you will need to make sure that > the. packets you've destination NAT'ed are allowed through the forward > chain as Johnny Hughes has indicated below. > > P. > > > Johnny Hughes wrote: > > >On Thu, 2005-05-19 at 21:44 +0800, Mark Quitoriano wrote: > > > > > >>here's how i did mine > >> > >> > > > > > > > >>iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -j DNAT > >>--to-destination 10.0.0.1 > >> > >>iptables -t nat -A POSTROUTING -d 10.0.0.1 -j SNAT --to xxx.xxx.xxx.xxx > >> > >>because the firewall has different ip than my mail server > >> > >> > >> > >You are forwarding it twice > > > >Is 10.0.0.1 the internal interface of the firewall (that contains -d > >xxx.xxx.xxx.xxx) or is it a seperate machine > > > >If it is on the same machine, try this (assuming you have a FORWARD rule > >too): > > > >iptables -A FORWARD -i $EXTIF -p tcp --dport 25 -m state \ > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > >iptables -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 \ > > -j DNAT --to xxx.xxx.xxx.xxx > > > >($EXTIF is the external insterface {eth0, eth1, etc.}, $EXTIP is the > >external IP address) > > > > > > > >>On 5/19/05, Peter Farrow <peter at farrows.org> wrote: > >> > >> > >>>If you're doing true port forwarding, the internal server should see the > >>>ip address of the external machine in its logs. > >>> > >>>This is how my machines log that do this, I use this type of entry in > >>>iptables: > >>> > >>>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to > >>>10.198.0.17 > >>> > >>>P. > >>> > >>> > >>>Johnny Hughes wrote: > >>> > >>> > >>> > >>>>On Thu, 2005-05-19 at 21:08 +0800, Mark Quitoriano wrote: > >>>> > >>>> > >>>> > >>>> > >>>>>i'm having a problem viewing logs on forwarded ports from the firewall > >>>>>to another server, i forwarded mail(port 25) from the firewall to an > >>>>>internal server. The problem is when i try to view the logs it just > >>>>>shows the firewall ip as the sender and not the original sender. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>In reality, the firewall may be making the connection to the internal > >>>>server... and not the external machine. Especially if the internal > >>>>server is on a 192.168.x.x or 10.x.x.x network and you are connecting > >>>>via NAT. If that is the case, the external machine is connecting to the > >>>>firewall and the firewall is connecting to the internal server. > >>>> > >>>> > >>>>------------------------------------------------------------------------ > >>>> > >>>>_______________________________________________ > >>>>CentOS mailing list > >>>>CentOS at centos.org > >>>>http://lists.centos.org/mailman/listinfo/centos > >>>> > >>>> > >>>> > >>>> > >>>_______________________________________________ > >>>CentOS mailing list > >>>CentOS at centos.org > >>>http://lists.centos.org/mailman/listinfo/centos > >>> > >>> > >>> > >> > >> > >>------------------------------------------------------------------------ > >> > >>_______________________________________________ > >>CentOS mailing list > >>CentOS at centos.org > >>http://lists.centos.org/mailman/listinfo/centos > >> > >> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Regards, Mark Quitoriano, CCNA http://www.atamanetworks.com