how to change the special port output source address?

Question

I want to change the my datapackage from port 25 to another internal address(192.168.2.253).

iptables -A OUTPUT -o em1 -p tcp --dport 25 -j SNAT --to 192.168.2.253

But I get the output is:

root@gateway:~# iptables -A OUTPUT -o em1 -p tcp --dport 25 -j SNAT --to 192.168.2.253
iptables: Invalid argument. Run `dmesg' for more information.

how to do it correctly?

The dmesg output is:

https://gist.githubusercontent.com/thinksource/af08acd451380823257b/raw/5d720ce48bcb5ea27699bfcde63e4ccd92e2118c/dmesg%20output

What are you exactly wanting to do ? Why rewrite the source address when the destination port is SMTP ? — Xavier Lucas, Mar 25 '15 at 10:18
@Xavier Lucas there are two ip addresses on the same network adapter one for internal network, one for external network. Actually, I want use the external ip address send emails, while everytime the computer always use the internal ip address. — user504909, Mar 26 '15 at 17:13

score 0 · Answer 1 · answered Mar 25 '15 at 05:54

0

To add a NAT rule you need to do so in the NAT table; add "-t nat" to the iptables command line. Further, you can only do SNAT on the INPUT NAT chain (not OUTPUT), and on an inbound interface (-i, not -o). You will obviously have to alter which interface that is, to the one where the packet is arriving, not the one where it is leaving

answered Mar 25 '15 at 05:54

Craig Miskell

4,216
1
16
16

can you tell me how to change the output address? – user504909 Mar 25 '15 at 06:46
The value after --to is what the target address is rewritten to; in your original command, that's 192.168.2.253. Or have I misunderstood your question? – Craig Miskell Mar 25 '15 at 08:38
You are confusing DNAT and SNAT. – Xavier Lucas Mar 25 '15 at 10:22
@Xavier Lucas actually, I have two ip address on same network adapter. I need to use ip 192.168.2.253 to send email, not the other one. do you know how to set it? – user504909 Mar 26 '15 at 01:26
Read my answer ?! – Xavier Lucas Mar 26 '15 at 08:01

Xavier Lucas · Answer 2 · 2015-03-25T10:25:18.837

0

The SNAT target is only meaningful in the POSTROUTING chain of the nat table.

A valid version of your rule would be :

iptables -t nat -A POSTROUTING -o em1 -p tcp --dport 25 -j SNAT --to-source 192.168.2.253

By the way if your (output) interface holds the IP 192.168.2.253, then rather use :

iptables -t nat -A POSTROUTING -o em1 -p tcp --dport 25 -j MASQUERADE

edited Mar 25 '15 at 10:25

answered Mar 25 '15 at 10:03

Xavier Lucas

13,095
2
44
50

I do not want holds ip address, the simple reason is I have two ip address on one network adapter. I need to use one of them to send email, while every-time the machine always use another one. – user504909 Mar 26 '15 at 17:20
That's exactly what my answer's first rule is doing... I'm giving up on your case, you seem to make no effort at all. – Xavier Lucas Mar 26 '15 at 17:48
I can not use nat, since the net address is not assemble by the server. – user504909 Mar 28 '15 at 03:01

how to change the special port output source address?

2 Answers2