We have the following setup. 192.168.0.1 NAT router 192.168.0.3 eth0 192.168.0.50 eth0:0 Two postfix instances. The first bound to 192.168.0.3 and the second to 192.168.0.50. The problem is that the NAT router can''t port forward the same port to two IPs. Is there any way to redirect outgoing port 25 from 192.168.0.50 to 192.168.0.3? -- Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC Website: http://www.paradigm-omega.com/ RSS: http://paradigm-omega.blogspot.com/atom.xml Spamtraps: http://paradigm-omega.net/cgi-bin/custmail.cgi ====================================================================Signature terminated by sigfault.
Robin Lynn Frank wrote:> We have the following setup. > > 192.168.0.1 NAT router > > 192.168.0.3 eth0 > 192.168.0.50 eth0:0 > > Two postfix instances. The first bound to 192.168.0.3 and the second to > 192.168.0.50. > > The problem is that the NAT router can''t port forward the same port to > two IPs. > > Is there any way to redirect outgoing port 25 from 192.168.0.50 to > 192.168.0.3?I don''t understand what you are trying to accomplish here. Nevertheless... It is possible to DNAT output connections provided that your kernel has support for it. You just code a DNAT rule with $FW as the source. It almost sounds like you want $FW to be the destination as well; if so, be sure that you add a $FW->$FW ACCEPT policy (also requires shorewall version 2.0.0 or later). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Robin Lynn Frank wrote: > >> We have the following setup. >> >> 192.168.0.1 NAT router >> >> 192.168.0.3 eth0 >> 192.168.0.50 eth0:0 >> >> Two postfix instances. The first bound to 192.168.0.3 and the second to >> 192.168.0.50. >> >> The problem is that the NAT router can''t port forward the same port to >> two IPs. >> >> Is there any way to redirect outgoing port 25 from 192.168.0.50 to >> 192.168.0.3? > > > I don''t understand what you are trying to accomplish here. Nevertheless... > > It is possible to DNAT output connections provided that your kernel has > support for it. You just code a DNAT rule with $FW as the source. It > almost sounds like you want $FW to be the destination as well; if so, be > sure that you add a $FW->$FW ACCEPT policy (also requires shorewall > version 2.0.0 or later). > > -TomThanks for the quick reply. FYI, we are going to use one instance for inbound and the other for outbound with different set of restrictions. -- Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC Website: http://www.paradigm-omega.com/ RSS: http://paradigm-omega.blogspot.com/atom.xml Spamtraps: http://paradigm-omega.net/cgi-bin/custmail.cgi ====================================================================Under Marxism, labor is not rewarded for producing. Under Capitalism, business is rewarded for not producing.