I want smtp requests from the internet to address 202.1.2.3 are to be forwarded to 192.168.1.109, so I set ORIGINAL DEST is 202.1.2.3 but when I restart it show error: iptables v1.2.11: invalid TCP port/service `210.0.214.212'' specified Try `iptables -h'' or ''iptables --help'' for more information. ERROR: Command "/sbin/iptables -A net2loc -p tcp --sport 202.1.2.3 -d 192.168.0.109 --dport 25 -j ACCEPT" Failed Processing /etc/shorewall/stop ... WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables IP Forwarding Enabled Processing /etc/shorewall/stopped ... Terminated Rules for smtp: #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP # PORT PORT(S) DEST LIMIT GROUP # # Accept SMTP connections from internet to the local network ACCEPT net loc:192.168.0.109 tcp 25 202.1.3.4 # Thank _______________________________________ YM - 離線訊息 就算你沒有上網,你的朋友仍可以留下訊息給你,當你上網時就能立即看到,任何說話都冇走失。 http://messenger.yahoo.com.hk
Wilson Kwok wrote:> I want smtp requests from the internet to address 202.1.2.3 are to be forwarded to 192.168.1.109, so I set ORIGINAL DEST is 202.1.2.3 but when I restart it show error: > > iptables v1.2.11: invalid TCP port/service `210.0.214.212'' specified > Try `iptables -h'' or ''iptables --help'' for more information. > ERROR: Command "/sbin/iptables -A net2loc -p tcp --sport 202.1.2.3 -d 192.168.0.109 --dport 25 -j ACCEPT" Failed > Processing /etc/shorewall/stop ... > WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables > IP Forwarding Enabled > Processing /etc/shorewall/stopped ... > Terminated > > Rules for smtp: > > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ > # PORT PORT(S) DEST LIMIT GROUP > # PORT PORT(S) DEST LIMIT GROUP > # > # Accept SMTP connections from internet to the local network > ACCEPT net loc:192.168.0.109 tcp 25 202.1.3.4 > #First of all, you need a DNAT rule rather than an ACCEPT rule (see Shorewall FAQ 1 or any of the multi-interface QuickStart Guides). Second, if you omit a column in any of the Shorewall configuration files (in this case, you are omitting the SOURCE PORT column), then you must enter "-" in that column. So the rule you want is: DNAT net loc:192.168.0.109 tcp 25 - 202.1.3.4 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
In addition to the DNAT rule you could use an entry in the NAT file to handle sending from original destination (public) IP, you may alternatively add an entry in the masq file depending on your needs. We''ve had most success with the NAT file e.g.(NAT) not sure what your external interface is 210.0.214.212 eth0 192.168.1.109 yes yes On 4/26/06, Tom Eastep <teastep@shorewall.net> wrote:> > Wilson Kwok wrote: > > I want smtp requests from the internet to address 202.1.2.3 are to be > forwarded to 192.168.1.109, so I set ORIGINAL DEST is 202.1.2.3 but when I > restart it show error: > > > > iptables v1.2.11: invalid TCP port/service `210.0.214.212'' specified > > Try `iptables -h'' or ''iptables --help'' for more information. > > ERROR: Command "/sbin/iptables -A net2loc -p tcp --sport 202.1.2.3 -d > 192.168.0.109 --dport 25 -j ACCEPT" Failed > > Processing /etc/shorewall/stop ... > > WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not > appear to have ip6tables > > IP Forwarding Enabled > > Processing /etc/shorewall/stopped ... > > Terminated > > > > Rules for smtp: > > > > #ACTION SOURCE DEST PROTO > DEST SOURCE ORIGINAL RATE USER/ > > # > PORT PORT(S) DEST LIMIT GROUP > > # > PORT PORT(S) DEST LIMIT GROUP > > # > > # Accept SMTP connections from internet to the local network > > ACCEPT net loc:192.168.0.109 tcp 25 > 202.1.3.4 > > # > > First of all, you need a DNAT rule rather than an ACCEPT rule (see > Shorewall FAQ 1 or any of the multi-interface QuickStart Guides). > > Second, if you omit a column in any of the Shorewall configuration files > (in this case, you are omitting the SOURCE PORT column), then you must > enter "-" in that column. > > So the rule you want is: > > DNAT net loc:192.168.0.109 tcp 25 - 202.1.3.4 > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > >