I am using Ubuntu 9.10 with Arnos IP tables firewall.

I'm unable to find any documentation on /etc/arnos~/firewall.conf
There is a NAT_FORWARD_IP section, but I dunno how to configure it.

So I must use iptables manually.

The above code doesn't apply when I restart arnos.

The below code works - everything is using the new external IP. However, that is the problem - I need just Exchange using that IP so these stupid tenants with viruses don't blacklist my ******* server.
So why can't I just add an -s switch and specify my Exchange server like the first code?

THANKS!!!!

Then why use it?

From what I see, Arno's iptables firewall is just a script. You'll either have to find out how it works, or find another solution.

Probably because the script flushes all tables and chains before adding its own rules. Have you tried adding that command to the end of the existing script? You'll have to add it to a script that runs at startup anyway, as no setting will survive a reboot otherwise.

By the way, isn't the port number wrong? TCP port 80 is web traffic, while SMTP uses TCP port 25.

I don't know, why can't you? Adding -s exchange_server_ip right after "POSTROUTING" in the rule above should do the trick. Unless it's overridden by an earlier rule added by this "Arno's" script. Have you tries inserting the rule at the top of the chain with "-I" instead of "-A"?

Thanks for the response!

I'm not reinventing the wheel - arnos has been inplace here for years.

Yes, I was just testing port 80 because it was easy to go to whatismyip.com.

I don't think the rule is being overwritten - I'm thinking I just have the syntax wrong or something because I can successfully route EVERYONE to the new IP.

I didn't try the -s switch right after POSTROUTING so I'll try that soon (users are complaining about internet dropping so I'm gonna wait a bit).


I'll post back in an hour or so.

Thanks again!

Apparently, I had it on the first try...

This works:

Doesn't work without "-p tcp".

Also, whatismyip.com doesn't show the alternate public IP. I connected via RDP and SSH and it all checked out with the new public IP.
And more importantly, my emails are going out through the IP that isn't blacklisted! I also found the virus computer. Some tenants use POP3 with port 25 so when I reviewed my packet log on the router it was hard to determine what was bad traffic.