Hi Patrik
I'm not sure why you have 2 gateways at your local site, why cant you
have one router that handles both connections?
$IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to
$DEBBY_LAN:$SMTPPORT
basically how nat works is
a > nat > b
when a talks to b through nat, the nat box changes the source address
from a to itself, then b responds to the nat box, the nat box remembers
this connection and forwards it on to a
i'm not sure what you are trying to do with that config but i think you
want it so when a packet comes in it changes the source address to the
2nd gateway which then would send it out on the 2nd gateway
this will not work. to achieve what you want you will need your main
router (the one that is the workstations default gateway) to have
multiple routing tables and use routing rules to send smtp traffic out
the 2nd connection
Patrik Hasibuan wrote:
Dear my friends,
I am now building 2 internet gateways.
I distribute the jobload based on the port number. For the first step, I do so:
- pop3 will do outgoing and ingoing through gateway1 whose IP 192.168.23.9 (int
net interface) and 202.155.0.179 (ext net interface);
- smtp will do outgoing and ingoing through gateway2 whose IP 192.168.23.2 (int
net interface) and 202.155.0.180 (ext net interface).
The default gateway what defined on the workstations is "192.168.23.9".
The POP3 and SMTP servers are provided by my webhosting (yahoo.com). They are:
' pop.bizmail.yahoo.com ' and ' smtp.bizmail.yahoo.com '.
But it does not work as I expect. I have tested on '192.168.23.2" by sending an
email from that debby-box and it succeed it.
Where are my mistakes?
Thank you very much in advance.
This is my script.
#!/bin/bash
###############################################################
# Adding default gateway
#/sbin/route add default gateway 202.155.0.177
###############################################################
# Initialize some parameter
INET_INTERFACE="eth0"
LAN_INTERFACE="eth1"
LOOPBACK_INTERFACE="lo"
IPT="/usr/sbin/iptables"
INET_ADDR="202.155.0.179"
DEBBY_LAN="192.168.23.2"
LAN_ADDR="192.168.23.9"
LAN_ADDRESSES="192.168.23.0/24" # LAN Addresses range
LAN_DNS="192.168.23.9" # Please specify your DNS server in LAN
POP3PORT="110"
SMTPPORT="25"
DNSPORT="53"
UNPRIVPORTS="1024:65535" # unprivileged port range
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]; then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING."
exit
fi
$IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
$IPT -t nat -A POSTROUTING -p tcp -d 0/0 --sport $SMTPPORT -j SNAT --to
$DEBBY_LAN:$SMTPPORT
$IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -j SNAT --to-source
$INET_ADDR
$IPT -t nat -A POSTROUTING -p udp -o $INET_INTERFACE -j SNAT --to-source
$INET_ADDR
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp --icmp-type
echo-request -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp --icmp-type echo-request -m
state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp --icmp-type
echo-reply -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type echo-reply -m state
--state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW -j
ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j
ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW
-j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW
-j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW
-j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $DNSPORT -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW
-j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $POP3PORT -m state --state NEW
-j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE
--dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE
--dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE
--dport $POP3PORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES
--dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p udp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES
--dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES
--dport $POP3PORT -m state --state NEW -j ACCEPT
Selalu bisa chat di profil jaringan, blog, atau situs web pribadi! Yahoo!
memungkinkan Anda selalu bisa chat melalui Pingbox. Coba!
http://id.messenger.yahoo.com/pingbox/
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
