I've been experimenting with getting a linux mail server (on a public IP)
to talk to a Kerberos realm (behind the firewall on a private IP) using
some iptables NAT tricks. So far I haven't had much success.

My iptables rules look something like this:
iptables -A INPUT --mac-source ! AA:BB:CC:DD:EE:FF -p udp -p 88 -i eth1 -j
DENY
iptables -A PREROUTING -t nat -p udp -m mac --mac-source AA:BB:CC:DD:EE:FF
--dport 88 -j DNAT --to XXX.XXX.XXX.XXX:88

So far I've come up with a few reasons why it isn't working:

a> I'm totally on the wrong path and need to be kicked down a new one.

b> firewall isn't getting the mac address (the firewall and mail server
are both on the same public subnet)

c> I have to allow all kerberos traffic, then deny all kerberos traffic
not coming from the mac address of the mail server.

d> iptables is mangling the packets so the kdc thinks they're coming from
the firewall, not the mail server.

e> the default forward policy isn't forwarding the upd kerberos traffic to
the mail server. (I'm pretty sure it should be however.)

Anyone done something similar or have any suggestions? This is my learn
iptables project, and I'm still doing a bit of fumbling for the light
switch. :)

| Andrew S. Zbikowski       | Home: 763.591.0977 |
| http://www.ringworld.org  | Work: 763.428.9119 |
| http://www.itouthouse.com | PCS:  612.306.6055 |
|   His power apparently lies in his ability to  |
|           choose incompetent enemies.          |
|    - Crow T. Robot, MST3K, "Prince of Space"   |