HI, here I have an eMail with connected to a DMZ 10.0.0.0/24 network. This server holds 10.0.0.87 There are two firewall-hosts one with CentOS 6 10.0.0.10 and one with CentOS 7 10.0.0.17 The CentOS 6 has the following iptables-rule (extract): ----------------------8<----------------------8<----------------------8< *nat -A POSTROUTING -o eth1 -j MASQUERADE -A PREROUTING -i eth1 -d 217.91.103.190/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.87:25 *filter -A FORWARD -d 10.0.0.87/32 -i ppp0 -o eth0 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT ----------------------8<----------------------8<----------------------8< If a external mailserver access the firewall, the traffic is routed to 10.0.0.87 port 25. As IP-adress from the external server I see hois public-IP. Here's the part of maillog: Jan 26 13:03:20 vml000087 postfix/postscreen[14214]: CONNECT from [88.198.212.215]:36131 to [10.0.0.87]:25 Jan 26 13:03:20 vml000087 postfix/postscreen[14214]: PASS OLD [88.198.212.215]:36131 Jan 26 13:03:20 vml000087 postfix/smtpd[10268]: connect from mx1.piratenpartei-bayern.de[88.198.212.215] Jan 26 13:03:31 vml000087 postfix/smtpd[10268]: disconnect from mx1.piratenpartei-bayern.de[88.198.212.215] so far so good, this work'ed fine the last 5 years ... Now I've a second network with a CentOS 7 base firewall. I've tried to adapt the roules I've mad on the old firewall. ----------------------8<----------------------8<----------------------8< # cat /etc/firewalld/zones/public.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <interface name="eth1"/> <service name="ssh"/> </zone> # cat /etc/firewalld/zones/private.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Private</short> <description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description> <interface name="eth0"/> <service name="ssh"/> <masquerade/> </zone> # cat /etc/firewalld/direct.xml <?xml version="1.0" encoding="utf-8"?> <direct> <rule priority="0" table="nat" ipv="ipv4" chain="POSTROUTING">-o eth1 -j MASQUERADE</rule> <rule priority="0" table="nat" ipv="ipv4" chain="PREROUTING">-i eth1 -d 192.168.0.17/32 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.87:25</rule> <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-i eth1 -d 10.0.0.87/32 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT</rule> </direct> ----------------------8<----------------------8<----------------------8< The traffic over this firewall is routed to my mailserver, too. BUT I did'nt see the external customer-IP, I only can see the IP-address of my own firewall. Jan 26 13:04:52 vml000087 postfix/postscreen[14214]: CONNECT from [10.0.0.17]:33803 to [10.0.0.87]:25 Jan 26 13:04:52 vml000087 postfix/postscreen[14214]: WHITELISTED [10.0.0.17]:33803 Jan 26 13:04:52 vml000087 postfix/smtpd[10268]: connect from vml000017.dmz.nausch.org[10.0.0.17] Jan 26 13:04:53 vml000087 postfix/smtpd[11397]: disconnect from vml000017.dmz.nausch.org[10.0.0.17] So I think destination NAT (DNAT) isn't working on my CentOS 7 host. As I seaid on my CentOS6 host DNAT is working very well. So where's my error? in my configuration or in my head? ;) Thanx 4 help! ttyl Django -- "Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God http://wetterstation-pliening.info http://dokuwiki.nausch.org http://wiki.piratenpartei.de/Benutzer:Django