Box A is a Linux gateway/router. It has a number of interfaces but the 2 significant ones are its PSTN interface (static IP 139.130.y.z) and the interface to the DMZ (static IP 192.168.254.1) where the smtp server is on 192.168.254.17.
I am using iptables and all smtp traffic coming in to the PSTN interface is addressed to the PSTN interface address as the MX address and then DNAT'd to the smtp server address. The iptables rule is of the form: iptables -t nat -A PREROUTING -p tcp -d 139.130.y.z --dport 25 -j DNAT --to-destination 192.168.254.17 This works fine for all traffic coming in from outside, however, smtp traffic created on box A is originally trying to establish an smtp connection to the 139.130.y.z interface on the lo interface and is being rejected and also not being DNAT'd. I then tried adding the following rule: iptables -t nat -A OUTPUT -p tcp -d 139.130.y.z --dport 25 -j DNAT --to-destination=192.168.254.17 Now this works in as much as the SYN packet from the gateway gets to the smtp server with src IP 192.168.254.1 and dst IP 192.168.254.17, and the SYN ACK packet from the smtp router gets back to the gateway with src IP 192.168.254.17 and dst IP 192.168.254.1 The problem is that the gateway then promptly sends a RST packet with src 192.168.254.1 and dst 192.168.254.17 Consequently the connection never gets established. I can't put a reverse PREROUTING rule in as the PREROUTING chain only works on the first (SYN) packet and won't work on SYN ACK or ACK packets, or so the doco says. What sort of rule should I be using, or is it something in sysctl? What I want to avoid is putting a kludge into the DNS to provide a low priority MX on 192.168.254.17 -- Howard. LANNet Computing Associates - Your Linux people Contact detail at http://www.lannetlinux.com "Flatter government, not fatter government." - me Get rid of the Australian states. ------------------------------------------ If electricity comes from electrons, does morality come from morons? -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
