iptables rule with dynamic IP

Running Debian 5, my /etc/init.d/iptables script uses iptables-restore to load my configuration from /etc/iptables.conf.

I have the following lines at the top of my .conf file:

Code:

---

*nat
:PREROUTING ACCEPT [1821236:456663979]
:POSTROUTING ACCEPT [172140:27540417]
:OUTPUT ACCEPT [548347:57634249]
-A PREROUTING -p tcp -m tcp --dport 465 -j DNAT --to-destination 10.0.0.5:465
-A PREROUTING -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.0.0.5:993
-A POSTROUTING -j MASQUERADE
COMMIT

---

The goal is to have SSMTP and IMAPS data forwarded to an internal server from laptops that roam (i.e. they could be inside or outside).

The only problem with this setup is, it forwards all traffic destined to those ports back to that internal server -- including traffic from an internal machine trying to connect through NAT to another machine's port 463 or 995.

I want to set up a rule that forwards anything connecting to this machine's IPs on those ports, to the internal server; but let connections to those ports for any other IP to pass through.

The problem is, the machine has three IPs (internal, external, and localhost), and one of those is dynamic (external), so the rule would need to be dynamic enough to pick up any change in IP.

How can I create a rule of this form (or is it even possible):

Code:

---

-A PREROUTING -p tcp -d [this machine] -m tcp --dport 465 -j DNAT --to-destination 10.0.0.5:465

---

Setup your rule according to the interfaces they come in on. for example I take it your PREROUTE rules you are looking to have only done on traffic coming from the external interface thus you should have:

Code:

---

-A PREROUTING -i <EXT INT> -p tcp -m tcp --dport 465 -j DNAT --to-destination 10.0.0.5:465
-A PREROUTING -i <EXT INT> -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.0.0.5:993

---

And the MASQ should only be applied to traffic that is leaving your network:

Code:

---

-A POSTROUTING -o <EXT INT> -j MASQUERADE

---

I wasn't sure it would work, since when my clients are on the internal network, I wanted them to connect to the server and have packets redirected to the mail server. But, my clients seem to resolve to the external IP no matter which side they're on, so it works out in this case.

Thanks for the help!

Ok, I have to take it back, it didn't work exactly. I'm not sure what caused it to work last night and fail this morning (cached routing, perhaps?), but those rules wouldn't DNAT the internal clients' traffic to the other machine.

Masquerading can't be limited to eth0 (external iface), because of this one case where I'm actually using masquerading to redirect traffic on eth1.

However, I was able to get it to work building on your suggestion, when I thought about it some more.

What I realized:
Traffic coming in on eth0 on those two ports is only going to get forwarded to the mail server. (No IP test is needed, since anything inbound to my network from the outside can only have one destination.)
Traffic coming in on eth1 on those two ports are either going to be intended for forwarding back to the mail server (if it tries to connect to the server directly), or destined for some external server. I can determine this by destination IP, since I know the IP of my server on eth1 is static.

Code:

---

-A PREROUTING -i eth0 -p tcp -m tcp --dport 465 -j DNAT --to-destination 10.0.0.5:465 -m comment --comment "SSMTP forward from outside to mail"
-A PREROUTING -i eth0 -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.0.0.5:993 -m comment --comment "IMAPS forward from outside to mail"
-A PREROUTING -i eth1 -d 10.0.0.1 -p tcp -m tcp --dport 465 -j DNAT --to-destination 10.0.0.5:465 -m comment --comment "SSMTP forward from inside to this machine, to mail"
-A PREROUTING -i eth1 -d 10.0.0.1 -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.0.0.5:993 -m comment --comment "IMAPS forward from inside to this machine, to mail"
-A POSTROUTING -j MASQUERADE -m comment --comment "Outbound traffic is masqueraded"

---

Thanks for leading me in the right direction.

I still can't help thinking this would've been easier if there were a way to specify the destination IP as "any of mine, whatever they might be" (and I might've needed it if my internal IP wasn't static). But it's not that hard, just required a little more thought than I gave it at first.

...or not. It is, in fact, inbound on eth1 but connecting to the IP address on eth0, and that doesn't match either rule. (Kind of annoying that it doesn't seem to take effect immediately, teasing me into thinking I solved it only to break later.)

I had to tweak the configuration to my internal DNS so that, internally, my clients would resolve the server name to the internal IP address (instead of slipping through and getting the DNS entry on the outside), and the eth1 rules would catch the traffic. Which is probably more correct anyway.

I hope all this chatter helps someone from having to stumble through this like I have.

After reading your above posts this was the next step I was going to tell you to ensure the internal DNS give out the internal IP addresses of your servers.