hello,

I have setup iptables to dnat smtp traffic to my local mail server, but I lose the original ip/domain info in the process. Since sendmail is setup to reject all other traffic except that that is trusted, the nat traffic appears to come from a trusted source and it seems I'm presently an open relay.

How can I nat the traffic w/o losing the orginal source info?

Here's my iptables rules for smtp

$IPTABLES -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 25 -j DNAT \
--to-destination $MAIL_SERVER

$IPTABLES -A FORWARD -i $INET_IFACE -p tcp \
-d $MAIL_SERVER --dport 25 -m state --state NEW -j ACCEPT

thanks!

Do you really need to NAT? Is it possible to use only forwarding?

I am still learning iptables after my 2 day crash study of iptables and I found an initial problem. I had an SNAT policy too that was unneeded. I deleted the below policy and my relay problem went away.

$IPTABLES -t nat -A POSTROUTING -p tcp --dst $MAIL_SERVER --dport 25 -j SNAT \
--to-source $LAN_IP

If I were to just forward any traffic coming into port 25 would my policy command change to look like this?

$IPTABLES -A FORWARD -i $INET_IFACE -p tcp --dport 25 \
-d $MAIL_SERVER --dport 25 -m state --state NEW -j ACCEPT