DNAT only for specific IPs
I've been having major problems with my ISP's SMTP relays (both of the ISPs have started silently dropping mail that matches some random filter they won't tell me about…) at a couple of offices I manage. What I've done is obtain a VPS to act as a private mail relay for my client. What I'd like to do with pfSense is DNAT just the ISP's SMTP relay servers to my new relay on a different port.
Currently I have a port forward rule redirecting all port 25 traffic to my relay, but I am concerned that an infected client machine with a spam bot would be able to relay any mail it wants since it can connect to any host on port 25 and reach a server that will relay mail for it. Instead, I would like to set up a DNAT rule that looks at both the destination port and IP before NATing it to my relay. Is this possible with pfSense?
You could, but maybe try this instead (I had the exact same issue as you.) On my vps (linode), I installed a stripped-down postfix smtp server. I set my real mail server behind pfsense to use the vps as a smart relay. To prevent it being used as an open relay, it only accepts authenticated clients, which my real postfix server is. I am not worried about infected bots like you, but if that is a concern, you could set an outbound rule that blocks smtp to anywhere but the vps.
My problem is similar,
I need to do DNAT on port 80 to a squid proxy (thereby making it transparent to the end users). But only for a specific IP.
Both the squid server and the 'end users' are on the LAN subnet.
Is this possible? In Linux iptables you would just to DNAT…..