[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On 9/25/07, Aleksander Kamenik <aleksander@xxxxxxxxxxxxxxx> wrote:
Indunil Jayasooriya wrote:

>    SECOND Firewall's default route (gateway) is NOT the FIRST firewall.
>  BOTH firewall's default route (gateway) is the router given by our ISP.

Ok, so you understand your problem now?

Assuming the packet arrives at from random external ip (eg., is successfully dnat+rerouted to, there again
dnat+reroute to 192.168.x.x. Arrives at smtp server and smtp server
sends a reply to the original sender It does that via it's
default gateway which I assume is sends it via your
ISP's gateway with it's own address of to

But sent the packet, not, so it discards it.

YES, I got it.

And that's exactly what Riccardo said when I read his mail now.

The first problem though is that I'm not sure the dnat form to works, the packet would have to leave via the same interface it
came. Maybe this works, I've never tried that. Make sure packets arrive
on the smtp box with tcpdump.

As for the solution, one way would be to SNAT the connection at FW1, but
this wwould cause the smtp box to see as if all the incoming connections
are from and not their real IP's (

Actually you should set up custom routing at and not DNAT. You'd
have to mark the packets and then send them to the fw via a
custom route. I'm not sure I could help you with that, never done any
advanced routing.
Thanks for your exellent help given so far. I will try with advanced routing.
it is plicy routing?


Aleksander Kamenik
system administrator
+372 6659 649

Krediidiinfo AS
LARTC mailing list

Thank you
Indunil Jayasooriya
LARTC mailing list

[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux