Do not worry. There is other ways how to do it:

Remove previous rules and add new:

iptables -t nat -A OUTPUT -p tcp -d xxx.xxx.xxx.xxx --dport 25 -j DNAT --to-destination xxx.xxx.xxx.xxx:2525

Change xxx.xxx.xxx.xxx to your mail server IP

Back to Bizaro world.

Before I left last night I turned off iptables using 'service iptables stop' just to make sure that nothing I had done would effect the server for the morning startup. I came in this morning and cleaned up the iptables file to remove your original OUTPUT line and then entered the new one. Bingo! it seems to work...wait I didn't actually turn ON the iptables yet. Double check with 'service iptables status' and get the message 'Firewall is stopped' WTF!!!

This is starting to make a bit of sense IF something else is running and using the iptables file in /etc/sysconfig for settings. I tried to use a ps command to look for iptables running under some other pid but nothing shows up and I don't appear to be running ipchains but I'm not entirely sure about that. Any idea what I should be looking for???

Right now if I add the last OUTPUT line with the ip addresses it works and if I then remove the line using -D instead of -A the telnet to port 25 of the mailserver does not work. All this and no iptables running according to the status.

???????????????????????????????????????????

Don't get me wrong again, I'm happy that it might be working but I'd REALLY like to understand this before I put it to bed.

Bill

Working but not working is how I'd describe it right now. Now I can see by tcpdump and by getting the actual mail server login that I am redirecting port 25 to port 2525 when it leaves the server but sendmail/postfix does not seem to be working. I can watch as the system checks the email address every couple of minutes using tcpdump but nothing happens when I try to mail a test email. Right now I'm not sure if send mail is having a problem, maybe I messed it up trying to change its port, or whatever is allowing a telnet session to have its port resirected is for some reason not letting sendmail do it.

I still don't know HOW the port is being redirected in the first place....

On the thought that I might have gummed up postfix somehow I did a flush and a restart to see if maybe I had an email stuck somehow but that didn't seem to work.


Bill

Ok, who do I &$^%%#& to get out of the outfit!!!

What will I see in a ps when iptables is running???

Just to see if something was going on I 'service iptables start' to start up iptables again and promptly lost the ability to telnet to port 2525 on the mail server. I then turned off iptables and still couldn't telnet. I checked the iptables file in /etc/sysconfig and the OUTPUT line was missing. I'm not exactly sure what is happening so I added the line back in and did a 'service iptables save' then I checked the iptables file and there it was. So I tried to telnet to port 25 of the mail server and got a timeout again *&^%*^%********&^*%*^&%*%*%*

Ok, take a deep breath and do a 'service iptables start' and try it again. Now I can telnet to port 25 of the mail server and see by tcpdump that it is going out on 2525. Turn off iptables again and back to a telnet timeout. Turn it on and it works.

I'd swear that someone is messing with me.

I'd doubly swear that iptables was OFF when it first started working earlier.

Even with the port being redirected sendmail/postfix isn't working.

So back to the original question, what exactly will I see running is a ps that uses the /etc/sysconfig/iptables file??? It still feels like something else is running that is conflicting with iptables and I'm almost certain that later on today I'll lose the port redirect again.

God I hate our ISP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Bill

You've asked to many different questions.
But first, when you give to iptables new rule by command -A (append) -I (insert) it takes it, but only in memory, and sometime when you start iptables it read default rule set and loses your rule.

To find out are there any modules in memory belong to iptables you can do "lsmod |grep ip".
To find out if iptables is doing its job - service has to be activated.

I hope it helps

I know about the bit with iptables keeping the rule in memory so I was always doing a 'service iptables save' after I verified that the rule had been accepted.

when I run lsmod I get iptable_nat, ip_conntrack, ip_tables and ipv6
and when I turn off iptables all I get is ipv6.

I still think that something is/was running and conflicting with iptables but I just don't know what.

When I turn off iptables and try a telnet to the mail server I get the half login where I get the mail server telling me who it is then loging me out with a Connection closed by foreign host. If I try the telnet again right away I get a connection timeout. If I restart iptables I'm good again to telnet to the mail server using 25 and seeing it go out on tcpdump as 2525.

I do find it strange that once in a while with iptables off I get a partial login.

All this and I still can't get sendmail/postfix to work.


Is there any reason that the OUTPUT line might be upstream of the packets with regards to postfix?? I mean could the redirection be happening in a way that postfix bypasses it?

Bill

Nothing strange at all.
If you stop iptables, and do "lsmod |grep ip", you will still see modules in memory, NAT remembers some time about connections through it because port the same.

I'm back to Bizaro world, not as bizaro as the last one but still weird.

When I use sendmail I don't see any activity in the tcpdump window I have up, but the /var/log/maillog indicates that the postfix tried to access the mail server and timed out.

Could there be something more I need to use to redirect the incoming connection from the mail server??? When I telnet I see the login so I know it works with telnet but would postfix be different???

I'm using

define(`SMART_HOST',`mail.mymailserver.com')
FEATURE(authinfo)dnl

in my sendmail.mc and setup the authinfo with the login for the server which worked before so unless I messed up something else when I was trying to get postfix to use 2525 I'm back to being very confused

And answer is very simple - it uses to different IP. It sends packets to different IP.
You can do:

tcpdump -n

And see.

P.S.

Your client resolves "mail.mymailserver.com" to different IP.

I've got every crossable finger, toe and internal organ crossed....it seems to be working!!!!!


I had to remove the -d xxx.xxx.xxx.xxx (I had the mail server address there like you told me to)

iptables -t nat -A OUTPUT -p tcp -d xxx.xxx.xxx.xxx --dport 25 -j DNAT --to-destination xxx.xxx.xxx.xxx:2525

This seems to have done the trick, now when I use sendmail or use the custom software to send an invoice I see immediate activity on the tcpdump screen for the mail server on port 2525.

Is there anyway to put in the mail.mymailserver.com instead of the ip address??? I don't know if our web/email provider changes its ip address but I'd like to be prepared this time.

Bill

No, iptables can't resolve it for you, it can use only IP.
If you know all IP addresses for your server you can add rules for all of them.
Or tell your client use IP instead of URL

I think you are working off of a bit of wrong info.

I'm not providing a email server. What I'm doing is taking a linux box that runs some custom software and letting it talk to our website/mail server, located on the web, to send and retrieve email for an individual email account. We send an invoice from the custom software to a printer interface I wrote to convert it to a pdf then email it through our external web based email server. No one connects into it to retrieve email, at least not yet

I'm slowly working my way to having an onsite email server but right now I have to work with what I got.

Please pray to or sacrifice to the deity of you choice that this keep working and I didn't screw up something else during all this.

By the way I did notice that the iptables file is much shorter now, before it had entries for filter and mangle, all set to accept, but for some reason now it just has them for PREROUTING, POSTROUTING and OUTPUT all set to ACCEPT with the additional -A line for the output rule. Not sure why or what that means but there you have it.

Thanks again for your help.

Bill