NAT-ing with iptables rewrites source IP in logs

Zoli asked:

I have the following infrastructure in place:

 internet   [outside 81.x.x.x] router [inside 192.168.1.1] 
                                    |    [network 192.168.1.0/24] 
                                    | 
                                   mail server [192.168.1.2]

On the router (DD-WRT) with iptables. I have NAT enabled since I want my mailserver to respond for the outside IP.
I have the following setup:

iptables -t nat -I PREROUTING -d 81.x.x.x -j DNAT --to 192.168.1.2 
iptables -t nat -I POSTROUTING -s 192.168.1.2 -j SNAT --to 81.x.x.x 
iptables -I FORWARD -d 192.168.1.2 -p tcp --dport 25 -j ACCEPT

with some other open ports as well.

However, when mail arrives to the mailserver postfix show the following message:

postfix/smtpd[6964]: connect from unknown[192.168.1.1]

All mails coming from outside seems that is comming with the routers inside IP address. What am I missing, so that the original IP address is shown, instead of the routers inside IP?

My answer:


You appear to have set up a 1-to-1 NAT with the first two iptables rules, but then you’ve added a third, rather curious rule:

iptables -I FORWARD -d 192.168.1.2 -p tcp --dport 25 -j ACCEPT

Such rules aren’t necessary when doing 1-to-1 NAT, and don’t actually do anything useful. Of the information you’ve given, this appears to be the most likely cause of the problem. Simply remove it.

iptables -D FORWARD -d 192.168.1.2 -p tcp --dport 25 -j ACCEPT

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.