> I have to forward email ports from local net to the whole world. At
> the same time I have a local email server that functions too. -
> Therefore I have I divide the requests between those coming to the
> local one and those that go to the outer one.
It is unclear to me what you are trying to accomplish. Do you want
hosts on the internal network to be able to connect to SMTP servers
on the Internet?
In your case it might make sense to configure the existing mailserver as
relay and to configure clients to use the relay.
> [...]
>
> Here is how I try to accomplish this:
>
> /sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -p tcp -m multiport
> --dports 25,110 -j ACCEPT
>
> /sbin/iptables -t nat -A PREROUTING -s
> 192.168.0.0/24 -p tcp --dport 25000 -j DNAT --to-destination
> ______:25
>
> /sbin/iptables -t nat -A POSTROUTING -i eth1 -s
> 192.168.0.0/24 -j SNAT --to-source=1.1.1.1
>
> My questions are:
>
> 1. Is it all correct/safe in any way, or needs additional correction?
In the first rule you would have to use the INPUT chain instead of the
FORWARD chain if you want it to apply to connections to the local service.
> 2. _______ - what should I use here in case I do not want to limit the
> access to a single email server?
The second line does not work because DNAT is supposed to change the
destination address.
The last line could possibly work but since I don't understand what you are
trying to do, I am unable to tell whether it works for you.
Cheers
Stephan
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20101207141120.GA29670@lia.ch
No comments:
Post a Comment