Pages

Welcome to My Blog

This is to share my IT experience with friends all around the world.
I have been working in Linux Fedora Systems for more than 8 years. Its fun to share knowledge and learn..
As everyone knows when a problem arises in your systems "googling" is the way that many depend on..

All the posts here are my working experiences during my working life.. So you can count on it..

I have added the references where I got help in solving IT issues


Monday, June 13, 2011

IP Tables DNAT and IP Forwarding

We had a requirement to forward all mails coming to mail server port 25 to the virus scanner port 25. We created DNAT on the IP tables to enable Pre-routing.

-A PREROUTING -s virus_scanner_ip -p tcp -j ACCEPT
-A PREROUTING -s my_network -p tcp -m tcp --dport 25 -j DNAT --to-destination virus_scanner_ip

The first rule to accept whatever connections from the virus_scanner to the mail server and the second rule to forward all connections to virus_scanner . The interesting thing here is the network defined in the second rule includes the virus_scanner_ip as well, but due to the first rule, the routing loop will not be created.

We enabled this and configured virus_scanner to route all packets via mail server. This is a must as the client accept the session only with the mail server.

The other important fact is to enable ip forwarding on the mail server.( This is a must as the mail server forwards all requests from clients to the virus scanner.)

Please refer following documents for further details;
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/ - IP Forwarding
http://linux-ip.net/html/nat-dnat.html - DNAT and Pre Routing

No comments:

Post a Comment