A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25

This is your first rule.
Answer please,
1. What is 202.a.b.c1?
2. What is 172.16.1.69?

ok.. let me clarify:

-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25
-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.16.1.69:110

172.16.1.69 is the mail server

This is your post, here you said that: 202.a.b.162/32 is mail server.

Can you please, be more definite.
If your mail server IP is 172.16.1.69, and you can ping 202.a.b.166 from internet, then next rule should do what you want:


A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25

yes, I able to ping 202.a.b.166/32 from internet .. but that's the linux firewall (172.16.1.1)

but you suggest below:
A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25

could you please advise? why I should use 202.a.b.166/32 instead of 202.a.b.162/32

because I have 16 IPs from my ISP:

202.a.b.162 is want to be used for mail
202.a.b.163 is for ... bla bla
202.a.b.166 is for linux firewall on eth0 and eth1 is 172.16.1.1

or do I need to create 16 virtual NICs on linux firewall?

any idea?

As I understood, 202.a.b.166 is linux firewall interface reachable from internet. And linux box has only two interfaces - eth0 and eth1.

What is 202.a.b.162?

What is 202.a.b.162?
A: this IP 202.a.b.162 is want to be IP port-forwarding to 172.16.1.69 for SMTP and POP3 service.

or Do I need to create virtual IP of 202.a.b.162 in Linux-Firewall as Eth1:1

Linux box can do it.
Packets from internet will come to eth0=202.a.b.166, go through firewall, through router and go to second interface eth1=172.16.1.1, then to mail server=172.16.1.69

You do not need anything else

yes, that also what I thought, Linux-firewall box on 202.a.b.166 receives package from internet, if incoming package destination is to IP 202.a.b.162 and destination port is 25 then it should be forwarded to 172.16.1.69:25 .. but it does not work ..this really make me confusing today :<(

I am suspecting the routing..

Eth0 is on 202.a.b.166
Eth1 is on 172.16.1.1

and the Internet Router is on 202.a.b.161

Do you have suggestion about routing for the above conditions?

What makes you confusing is you do not understand that if packets from internet was addressed to 202.a.b.166, they will never go any farther because their destination address is 202.a.b.166. That is why you use iptables router - you manually resend them where you want.
That is happen because only 202.a.b.166 is reachable from internet and remote computer can address its packets only to 202.a.b.166, it does not know about anything else.

Hi,
so the all packets will arrives on eth0 202.a.b.166 and go to eth2=172.16.1.1..
but how to make access-list for

202.a.b.162 should be forwarded to 172.16.1.169 for smtp and pop3?

I am asking you this.. because I put dns record for smtp & pop3 @202.a.b.162

please advise

thanks & regards

If you put DNS record to IP=202.a.b.162 for your mail server, it means that mail client will attempt to connect to IP=202.a.b.162 and 202.a.b.162 should be reachable from internet. Is it?
Can you ping 202.a.b.162 from internet?

currently, I am using CISCO PIX, I am unable to ping 202.a.b.162 but I able to port-forwarding..
using Linux.. I am unable to ping 202.a.b.162 and I also unable to port-forwarding

DNS record gives an IP address, which is used for connection from internet. If 202.a.b.166 is reachable from internet, you should put it in DNS. And then with Linux you will forward this connection to any internal IP and ports.