Shorewall users - Oct 2002 - DNAT port 143

Hello,

I change from a two to a three interface firewall with DMZ.

My problem is caused because our lan network admin setup all clients 
machines Outlook Express to use imap server at 192.168.0.3 and not something 
like mail.domain.com. This ip is used too in proxy setup,
so I decide continue using it in eth1 interface (loc). But how outlook 
express can see our imap server at ip 192.168.1.2 without change all 
machines (+ 120)?

I tried DNAT:

DNAT loc  dmz:192.168.1.2   tcp   143   143 192.168.0.3

But it doesen''t work. Please, any sugestion?





_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband. 
http://resourcecenter.msn.com/access/plans/freeactivation.asp

David Silva wrote:
> Hello,
> 
> I change from a two to a three interface firewall with DMZ.
> 
> My problem is caused because our lan network admin setup all clients 
> machines Outlook Express to use imap server at 192.168.0.3 and not 
> something like mail.domain.com. This ip is used too in proxy setup,
> so I decide continue using it in eth1 interface (loc). But how outlook 
> express can see our imap server at ip 192.168.1.2 without change all 
> machines (+ 120)?
> 
> I tried DNAT:
> 
> DNAT loc  dmz:192.168.1.2   tcp   143   143 192.168.0.3
> 
> But it doesen''t work. Please, any sugestion?
> 
There are two problems:

a) Just as in your post from last night, you are constraining the rule to 
only those clients who use 143 as their local port number; virtually no 
client does that. A better rule is:

DNAT loc  dmz:192.168.1.2   tcp   143   - 192.168.0.3

b) 192.168.0.3 MUST be a local address for your firewall -- otherwise, why 
would the firewall system look at packets with that destination?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net