iptables: destination nat onto same network

I have successfully implemented the classic scenario where internal
users are trying to access a public web server which has been DNAT'ed
to an internal machine (to paraphrase the NAT-HOWTO). Actually, I've
done that for my SMTP and POP servers as well. The problem is that my
firewall which does the DNAT'ing cannot send mail to the public IP
address. I have been scratching my head looking at the nat OUTPUT
chain and the POSTROUTING chain but I can't seem to figure it out. I
would appreciate it if someone could point me in the right direction.

-Chris

In article <(E-Mail Removed) >, Chris Lutka
wrote:

>I have successfully implemented the classic scenario where internal
>users are trying to access a public web server which has been DNAT'ed
>to an internal machine (to paraphrase the NAT-HOWTO). Actually, I've
>done that for my SMTP and POP servers as well. The problem is that my
>firewall which does the DNAT'ing cannot send mail to the public IP
>address.

The normal solution I've seen for this is to have the local name resolution
(local name server, or /etc/hosts file) resolve the external name to the
internal address of the servers. Any _external_ resolution of the names
still points through the NAT, so external hosts can find things.

Old guy

> >done that for my SMTP and POP servers as well. The problem is that my
> >firewall which does the DNAT'ing cannot send mail to the public IP
> >address.
>
> The normal solution I've seen for this is to have the local name resolution
> (local name server, or /etc/hosts file) resolve the external name to the
> internal address of the servers. Any _external_ resolution of the names
> still points through the NAT, so external hosts can find things.

Thanks for the reply.

I had tried this. Sendmail does an MX record lookup to my internal
DNS server which has the external IP address record. I want to keep
it this way since I have laptop users who have had issues in the past
trying to connect from an external provider to get their email and the
cached DNS still pointed to our internal IP. I didn't/don't want to
change the cache time for the entry since I'm already bogging down
that server.

One of the only ways I can figure things out is to edit my internal
DNS to include another domain and set the MX record to be the internal
IP address of the mail server and have it accept mail from the
non-existent domain. I would really like to have the mail served
properly and configure the iptables information correctly for the
firewall.

-Chris

In article <(E-Mail Removed) >, Chris Lutka
wrote:

>I had tried this. Sendmail does an MX record lookup to my internal
>DNS server which has the external IP address record. I want to keep
>it this way since I have laptop users who have had issues in the past
>trying to connect from an external provider to get their email and the
>cached DNS still pointed to our internal IP.

I think you may want to google the comp.mail.sendmail newsgroup. The
Sendmail-FAQ mentions this problem, but their solutions aren't neat.
Still, I'm not sure I'm following you. When your users are external,
they should be looking up the addresses with their ISPs name server,
not your internal name server. Thus, the mail server should resolve to
an external IP. When they are inside, they should not be using the
external name server, but should be pointed at the internal server
which would then give the mail server address as the local one. Not
that many user systems cache the name server data anyway.

>One of the only ways I can figure things out is to edit my internal
>DNS to include another domain and set the MX record to be the internal
>IP address of the mail server and have it accept mail from the
>non-existent domain. I would really like to have the mail served
>properly and configure the iptables information correctly for the
>firewall.

Old guy