I have a question about dstnat. We have a /28 network on our public interface and a nat'ed /16 on our private. I can get dstnat working from public numbers to private but my question is whether I need to have a srcnat rule in addition for each server/service. I have several services served up on different public IP's that go to the same private IP/server. SMTP to a SPAM proxy is one. I would think it good to have the reply to a request come from the IP where the request was sent. Example:
scrnat:
10.4.x.x -> 144.92.249.226
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.21:25
In the above when traffic comes to 144.92.249.228:25 what IP does the response come from? .249.228 or .249.226? Do I need to add an IP number to the SMTP server (10.4.2.2) and then change the rule to look like this:
scrnat:
10.4.2.2 -> 144.92.249.228
10.4.x.x -> 144.92.249.226
dstnat:
144.92.249.226:25 -> 10.4.2.1:25
144.92.249.228:25 -> 10.4.2.2:25