On 02/14/2012 01:28 PM, Robert Spangler wrote: > On Tuesday 14 February 2012 15:21, the following was written: > >> Is there a way to add a rule to the nat table (CentOS 5.7) that would >> alter the port number of tcp packets destined for the server itself? I >> have ip_forwarding enabled, but the packets don't seem to hit the >> prerouting chain. >> >> I have the following redirect rule in the prerouting table. I also >> tried DNAT, but if the packets don't hit PREROUTING, it won't work either. >> >> iptables -t nat -L -v -n >> Chain PREROUTING (policy ACCEPT 16079 packets, 896K bytes) >> pkts bytes target prot opt in out source >> destination 0 0 REDIRECT tcp -- * * 10.10.10.0/24 >> 0.0.0.0/0 tcp dpt:25 redir ports 12345 >> >> >> aspen 2# cat /proc/sys/net/ipv4/ip_forward >> 1 > Where are you applying this rule? On a firewall or on the SMTP server itself? > > If the firewall then you need to use DNAT > > Example: > > iptables -t nat -A PREROUTING -p tcp --dport <Port> -j DNAT --to-destination > <Server IP>:<Port> > > If you only want this to happen on the inside of the firewall then you are > also going to have to include the interface you want this rule to apply to. > > > If it is on the SMTP server itself then you don't need forward to be turned on > and you need to use REDIRECT > > Example: > > iptables -t nat -A PREROUTING -p tcp --dport <Port> -j REDIRECT --to-ports > <Port> > > Also make sure no other rule is filtering the packets before this rule because > if the packets are altered then this rule will never be used. > > Thank you. You've confirmed that the redirect that I have should work. I think I know what the problem is now. I have the NOTRACK bit set for incoming packets on port 25, so maybe those packets don't hit the nat PREROUTING table. I did that because spambot attacks were causing resource exhaustion problems in the kernel when it was tracking all of the connections. I don't really know how to do what I want to do other than increasing the resource on the server so it could sustain a spambot attack while tracking the connection. If you have any ideas it would be appreciated. What I am trying to do is to change my external SMTP port so that it does not allow relaying or authentication and move all of the relay clients to a submission port. The idea is to rewrite the port on connections coming from the internal network so we don't have to require all of the internal clients to reconfigure their mail clients. Nataraj