Hi everyone,

I have serious problem, I have this network

LAN (10.0.0.2/24 255.0.0.0 ) ---> Linux server (debian, eth0 10.0.0.1, eth1 - 192.168.1.2, 255.255.255.0, gw 192.168.1.1, dns 192.168.1.1) <--NAT on router--> router (192.168.1.1)---> internet

In LAN, PCs are not routed through gateway, because of security, I use squid for HTTP proxy.
Now, I need configure Linux server to REDIRECT 143 port and 25 to wan.

I would like to set LAN-PCs email clients imap server as: 10.0.0.1, when email client would like to download mail, he asked 10.0.0.1:143 and 10.0.0.1 will send packets to imap.isp.com (everyone use same imap).
For smtp is the same case.

Please, advice me, how to set iptables chains on linux machine.

Thank you very much.

A brief search of this forum will get you several posts that describe port-forwarding setup that will do what you want, though they might not actually mention your particular port numbers.

Even though your Linux server is connected between two Private Internets, the scheme is pretty simple:
1. When SMTP or IMAP packets arrive from the 10.0.0.x network, you need to tell the Linux machine to send them onto the 192.168.1.x subnet, even though that machine does not normally allow traffic between those two networks. To do this, you need port-forwarding specified in iptables, thus: This tells the boundary machine what to do with this traffic. Then, if your other rules prevent forwarding between the two sides of this boundary machine (the normal case), you need to permit these packets to be forwarded: Finally, you may need to turn IP forwarding on the boundary machine. I am not sure exactly how you make that permanent on a Debian machine, but I am certain that Google will tell you: you need to set a kernel flag thus:
If this value is 0, no forwarding will occur, regardless of how many rules you put into the iptables FORWARD chain.

HTH

Thank you very much, but I did not be sure that prerouting and port forwarding were vice choice.

I will try this solution ASAP.

About debian ip_forward http://documents.made-it.com/Debian_...Server-13.html.

I must apologize for providing only a partial recommendation for your problem; it was late at night when I wrote my previous post, and I have thought about your problem some more. My initial recommendation will not make your SMTP and IMAP connections work, because it enables the communication path in one direction. But a complete TCP connection requires bi-directional communication. Unfortunately, the outbound port-forwarding I recommended in my last post takes packets from many sources (on the 10.x.x.x network) and makes them all appear on the 192.168.1.x side to have come from a single address. As a result, when a return packet arrives at the boundary machine between these two networks, it cannot properly forward the reply to the correct originator.

Happily, there is a better solution, if the connections all originate on the 10.x.x.x network. (I guess that this must be the situation, since you have two distinct Private Networks, and a shared connection to the public Internet only from the 192.168.1.x side.) The solution is to use the masquerade facility of iptables, which is designed to keep track of the many-to-one mapping that occurs on the boundary machine. Using this facility, the originating packet (from a 10.x.x.x address) is transformed into one that appears to originate on the boundary machine, and is forwarded onto the 192.168.1.x network. In the process, the boundary machine records information about the outbound packet, so that when a reply arrives (addressed to 192.168.1.2) that reply packet can be re-edited so that it can travel onward over the 10.x.x.x network to its correct destination.

The rules to make this happen are In this situation, you do not need to make any special entry in the FORWARD chain; the SNAT processing bypasses that set of rules. But you do still need to make sure that the kernel setting of /proc/sys/net/ipv4/ip_forward is correct.

Good luck.