[CentOS] Port Forwarding

Mon Jan 19 14:58:57 UTC 2009
Thom Paine <painethom at gmail.com>

> In the case of the OP, I would urge him to evaluate if that network
> topology really makes sense. Does it make sense having two hosts with
> two different connections? In that case, does it make sense to run
> services like mail/web servers on these hosts? Shouldn't they be
> dedicated routers/firewalls instead? And do you really need to use
> port forwarding connections to a host that is already directly
> connected to the internet?



It doesn't necessarily make sense. This entire project doesn't make
sense. The issue is that we are sending confidential patient records
through a private network.

Instead of using something like PKI encryption (like I use at the
police station where I also work), this business model decided that
all mail should be sent out their private network. Then they can check
if the receiver should be receiving email in the first place. They
originally wanted to take control of my mail server, and I would pick
mail up from them for all my users and I said no to that. We are
retaining control of our network, and mail server and relaying all
outbound mail out this new connection. Incoming mail will transfer as
normal from all sources except from this private network which could
have confidential patient records, and it needs to come in this new
connection from an authenticated mail server to my box.

This project has been dragging out since 2007, and it's really getting
on my nerves. They only want to deal with Exchange, and they have been
sending instructions out for exchange, even though they know I am
using Linux for my server.

I thought I was almost out of the woods until we started testing the
port forwarding, and I've run into these hangups.

I think option 2 will work best for me. The box and connection on
y.y.y.y is strictly for communicating with this other mail server I
need to relay out, and receive only patient records mail from. If I
rewrite the packets to appear to be from 10.10.10.4 I think this will
work.

What would the best option for this be? I'm thinking I will have to
stop using the gshield firewall that I used to use, and jsut write the
rules manually in iptables because there will only be 1/2 a dozen or
so and once they are wrote, they will be permament.

Thanks for the excellent replies.


-- 
-=/>Thom