From: Chris Higgins (chris.higgins at domain horizon.ie)
Date: Wed 12 Sep 2001 - 17:04:10 IST
> Hi all
>
> Could anyone advise how best to modify outgiong IP packets on a 2.2.16
> machine (using ipchains)?
> My ISP has moved my mail server which had a public static address, to a
> private address, and set up a NAT on the firewall. This in itself is not a
> problem, but a difficulty arises when my mail server attempts to send mail
> to another NATed mail server within the ISP (many domains).
Huh ? Are you saying that your ISP has given you private addresses for
you to use on your network, and that for you to get to the internet you
need to go through their NAT device ? So they are also using private
addresses on their backbone ?
ie:
public-internet --- ISP NAT box --- ISP servers, customers, and you
To my mind there are two easy options, both involve making this the ISP's
problem, rather than your own..
1. Get the ISP to allow configure their network to allow you to connect to
these public addresses (why shouldn't you be able to connect to them..
even if they are NAT'd)
2. Configure your mail server to send all mail to a mail server connected
to the ISP - and make it their problem to figure out how to deliver it.
(SMARTHOST)
> A DNS lookup of
> the MX records returns the public IP address which is unreachable from
> within the private network. As far as I can see, there are a few options:
> 1. Modify the mail server (Postfix) to do the MX lookup, and then check the
> resulting IP address against a given list of mail servers known to the NATed
> on our private network. If a match is found, then translate to private IP
> address and continue as normal.
> I cannot find an option to do this in Postfix (smtp)
>
> 2. Create 'dummy' local DNS MX entries for all domains which require
> translation.
> This is messy and requires a lot of maintenance.
>
> 3. Manipulate outgoing packets being sent to port 25 of the public IP
> addresses for known mail servers on the NATed network, rewriting the
> destination address to the private IP address. As far as I can tell, this is
> what is known as DNAT in iptables, but this is a 2.2.16 machine so this is
> not an option without a significant upgrade.
>
> Does anyone have any ideas??
Change ISP ?
>
> Thanks again
>
> Adrian Flynn
> World Travel Centre
> 35 Pearse Street
> Dublin 2
> Ireland
> Ph +353-1-6717155
> Fx +353-1-6777756
> Email adrian.flynn at domain worldtravel.ie
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.274 / Virus Database: 144 - Release Date: 23/08/2001
>
>
> --
> Irish Linux Users' Group: ilug at domain linux.ie
> http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
> List maintainer: listmaster at domain linux.ie
-- ** Chris Higgins e: chris.higgins at horizon.ie ** ** Technical Business Development tel: +353-1-6204916 ** ** Horizon Technology Group fax: +353-1-6204949 **
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:12:06 GMT