[ILUG] Modifying outgoing packets
Adrian Flynn
adrian.flynn at worldtravel.ie
Wed Sep 12 14:19:07 IST 2001
Thanks for the response, however, from reading the man pages, the 'MODULE
portfw is able to forward to-firewall packets to internal hosts, based on
address and port specification.' However these are not to-firewall packets.
They are packets generated within the 'firewall' and so do not traverse the
input or forward chains, only the output.
I have come up with a workaround by using an external mail relay as a
fallback in the event that a direct connection cannot be made, but again,
this is a messy solution and lacks any elegance in design. ;-)
Rgds
Adrian
-----Original Message-----
From: ilug-admin at linux.ie [mailto:ilug-admin at linux.ie]On Behalf Of Conor
Daly
Sent: 12 September 2001 13:08
To: ilug at linux.ie
Subject: Re: [ILUG] Modifying outgoing packets
On Wed, Sep 12, 2001 at 12:13:42PM +0100 or thereabouts, Adrian Flynn wrote:
> Hi all
>
> Could anyone advise how best to modify outgiong IP packets on a 2.2.16
> machine (using ipchains)?
> My ISP has moved my mail server which had a public static address, to a
> private address, and set up a NAT on the firewall. This in itself is not a
> problem, but a difficulty arises when my mail server attempts to send mail
> to another NATed mail server within the ISP (many domains). A DNS lookup
of
> the MX records returns the public IP address which is unreachable from
> within the private network. As far as I can see, there are a few options:
> 1. Modify the mail server (Postfix) to do the MX lookup, and then check
the
> resulting IP address against a given list of mail servers known to the
NATed
> on our private network. If a match is found, then translate to private IP
> address and continue as normal.
> I cannot find an option to do this in Postfix (smtp)
>
> 2. Create 'dummy' local DNS MX entries for all domains which require
> translation.
> This is messy and requires a lot of maintenance.
>
> 3. Manipulate outgoing packets being sent to port 25 of the public IP
> addresses for known mail servers on the NATed network, rewriting the
> destination address to the private IP address. As far as I can tell, this
is
> what is known as DNAT in iptables, but this is a 2.2.16 machine so this is
> not an option without a significant upgrade.
>
> Does anyone have any ideas??
AFAICT, you can do that with the ipchains rules. You need to go get the
port forwarding patch and then use an ipfwadm rule to forward packets for
<external.mail.server.ip> 25 to <private.mail.server.ip> 25
I don't remember the details of the patch but it's out there on the ipmasq
mailing list. If I get time later, I'll look it up at home.
Conor
--
Conor Daly
Met Eireann, Glasnevin Hill, Dublin 9, Ireland
Ph +353 1 8064276 Fax +353 1 8064275
------------------------------------
12:04pm up 12 days, 19:02, 8 users, load average: 0.00, 0.06, 0.15
--
Irish Linux Users' Group: ilug at linux.ie
http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
List maintainer: listmaster at linux.ie
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.274 / Virus Database: 144 - Release Date: 23/08/2001
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.274 / Virus Database: 144 - Release Date: 23/08/2001
More information about the ILUG
mailing list