I've been experimenting with getting a linux mail server (on a public IP) to talk to a Kerberos realm (behind the firewall on a private IP) using some iptables NAT tricks. So far I haven't had much success. My iptables rules look something like this: iptables -A INPUT --mac-source ! AA:BB:CC:DD:EE:FF -p udp -p 88 -i eth1 -j DENY iptables -A PREROUTING -t nat -p udp -m mac --mac-source AA:BB:CC:DD:EE:FF --dport 88 -j DNAT --to XXX.XXX.XXX.XXX:88 So far I've come up with a few reasons why it isn't working: a> I'm totally on the wrong path and need to be kicked down a new one. b> firewall isn't getting the mac address (the firewall and mail server are both on the same public subnet) c> I have to allow all kerberos traffic, then deny all kerberos traffic not coming from the mac address of the mail server. d> iptables is mangling the packets so the kdc thinks they're coming from the firewall, not the mail server. e> the default forward policy isn't forwarding the upd kerberos traffic to the mail server. (I'm pretty sure it should be however.) Anyone done something similar or have any suggestions? This is my learn iptables project, and I'm still doing a bit of fumbling for the light switch. :) | Andrew S. Zbikowski | Home: 763.591.0977 | | http://www.ringworld.org | Work: 763.428.9119 | | http://www.itouthouse.com | PCS: 612.306.6055 | | His power apparently lies in his ability to | | choose incompetent enemies. | | - Crow T. Robot, MST3K, "Prince of Space" |