FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-17-2008, 12:30 PM
"ankush grover"
 
Default need help in configuring iptables for smtp traffic

Hi Friends,


I am running fedora core 5 64-bit on a Dell sever. I am trying to configure iptables for smtp traffic for which I need some help/guidance.

The scenario is like this:

*On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN IP(eth0). 2 public IPs are from the same service provider and 1 is from different service provider. eth3 and eth2 are from the same public provider but currently we are using only eth2 public ip There is a script which load balances the Internet Connection to both the Service providers through ip rule



ip rule add from $publicip1 table 1
ip rule add from $publicip2 table 2

ip route add default scope global nexthop via $publicip1 dev eth1 weight 2 nexthop via $publicip2 dev eth2 weight 6

The problem we are facing is that we have 2 mx exchangers in our domain. Both the exchangers receives/sends the mails from the public ip like


mx1 will receive/sends mails through eth1* (another service provider)
mx2 will receive/sends mails through eth2* (another service provider)
*

Accepting mails from public ip
iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT




Natting rules
iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25** -j ACCEPT

iptables -t nat -A PREROUTING* -d $publicip1 -p tcp --dport 25 -j DNAT --to $smtpserver1:25


Sending mails from smtpserver1 to publicip1


iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT --to-source $publicip1

route add $smtpserver1 netmask 255.255.255.255 gw $publicip1*
route add* $publicip1 gw $gw1



Some more iptables rules which ban sending mails from different vlans/lans directly to public ips (both 1 and 2)
$IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP


$IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP



$IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip3 --dport $SMTP -j DROP


Same rules we have for publicip2.

But still we are not able to send emails from the $smtpserver running in the local lan to outside. Our requirement is like this smtpserver1 which is running postfix should only send/receive emails through publicip1 and smtpserver2 which is also running postfix should sends/receive mails through publicip2.


We are able to receive emails both the public ips on the respective smtp servers but when we are sending emails to outside world it is sometimes going through both the public ips from a single smtp server.



Any suggestions/comments are most welcome


Thanks & Regards

Ankush Grover

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-17-2008, 03:41 PM
"ankush grover"
 
Default need help in configuring iptables for smtp traffic

Hi Friends,


I am running Centos 5 64-bit on a Dell sever. I am trying to configure
iptables for smtp traffic for which I need some help/guidance.

The scenario is like this:

On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
IP(eth0). 2 public IPs are from the same service provider and 1 is
from different service provider. eth3 and eth2 are from the same
public provider but currently we are using only eth2 public ip There
is a script which load balances the Internet Connection to both the
Service providers through ip rule


ip rule add from $publicip1 table 1
ip rule add from $publicip2 table 2

ip route add default scope global nexthop via $publicip1 dev eth1
weight 2 nexthop via $publicip2 dev eth2 weight 6

The problem we are facing is that we have 2 mx exchangers in our
domain. Both the exchangers receives/sends the mails from the public
ip like

mx1 will receive/sends mails through eth1 (another service provider)
mx2 will receive/sends mails through eth2 (another service provider)


Accepting mails from public ip
iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT



Natting rules
iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25 -j ACCEPT

iptables -t nat -A PREROUTING -d $publicip1 -p tcp --dport 25 -j DNAT
--to $smtpserver1:25


Sending mails from smtpserver1 to publicip1

iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT
--to-source $publicip1

route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
route add $publicip1 gw $gw1


Some more iptables rules which ban sending mails from different
vlans/lans directly to public ips (both 1 and 2)
$IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP


$IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP


$IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP


Same rules we have for publicip2.

But still we are not able to send emails from the $smtpserver running
in the local lan to outside. Our requirement is like this smtpserver1
which is running postfix should only send/receive emails through
publicip1 and smtpserver2 which is also running postfix should
sends/receive mails through publicip2.

We are able to receive emails both the public ips on the respective
smtp servers but when we are sending emails to outside world it is
sometimes going through both the public ips from a single smtp server.


Any suggestions/comments are most welcome


Thanks & Regards

Ankush Grover
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-17-2008, 11:17 PM
John Summerfield
 
Default need help in configuring iptables for smtp traffic

ankush grover wrote:




Any suggestions/comments are most welcome


1. Post in plain text only.
2. Install and configure shorewall; your firewall rules are way too
complicated for my feeble brain. OTOH my firewall rules, done in
shorewall, is way more complicated than yours.


The shorewall website has its own list for those needing help, and the
docs on the website are quite good.



--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-18-2008, 11:45 AM
"Alain Spineux"
 
Default need help in configuring iptables for smtp traffic

On Jan 17, 2008 5:41 PM, ankush grover <ankushcentos@gmail.com> wrote:
> Hi Friends,
>
>
> I am running Centos 5 64-bit on a Dell sever. I am trying to configure
> iptables for smtp traffic for which I need some help/guidance.
>
> The scenario is like this:
>
> On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
> IP(eth0). 2 public IPs are from the same service provider and 1 is
> from different service provider. eth3 and eth2 are from the same
> public provider but currently we are using only eth2 public ip There
> is a script which load balances the Internet Connection to both the
> Service providers through ip rule
>
>
> ip rule add from $publicip1 table 1
> ip rule add from $publicip2 table 2
>
> ip route add default scope global nexthop via $publicip1 dev eth1
> weight 2 nexthop via $publicip2 dev eth2 weight 6

My understandin is:
You are load balancing your outgoing traffic....

>
> The problem we are facing is that we have 2 mx exchangers in our
> domain. Both the exchangers receives/sends the mails from the public
> ip like
>
> mx1 will receive/sends mails through eth1 (another service provider)
> mx2 will receive/sends mails through eth2 (another service provider)
>
>
> Accepting mails from public ip
> iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT
>
>
>
> Natting rules
> iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25 -j ACCEPT
>
> iptables -t nat -A PREROUTING -d $publicip1 -p tcp --dport 25 -j DNAT
> --to $smtpserver1:25
>
>
> Sending mails from smtpserver1 to publicip1
>
> iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT
> --to-source $publicip1
>
> route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> route add $publicip1 gw $gw1

You are trying to force the GW for smtpserver1, but ....

>
>
> Some more iptables rules which ban sending mails from different
> vlans/lans directly to public ips (both 1 and 2)
> $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
>
>
> $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
>
>
> $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
>
>
> Same rules we have for publicip2.
>
> But still we are not able to send emails from the $smtpserver running
> in the local lan to outside. Our requirement is like this smtpserver1
> which is running postfix should only send/receive emails through
> publicip1 and smtpserver2 which is also running postfix should
> sends/receive mails through publicip2.
>
> We are able to receive emails both the public ips on the respective
> smtp servers but when we are sending emails to outside world it is
> sometimes going through both the public ips from a single smtp server.

... it doesn't work.

I had a similar problem.
I have create rules in the mangle INPUT table to 'mark' packets , for example:

0 for packet that must be load balanced
1 for packet that must go through first ISP
2 .... for the second ISP

Then in my routing rules, I use the mark to use one or another routing table.

Regards

>
>
> Any suggestions/comments are most welcome
>
>
> Thanks & Regards
>
> Ankush Grover
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



--
Alain Spineux
aspineux gmail com
May the sources be with you
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-20-2008, 07:54 AM
"ankush grover"
 
Default need help in configuring iptables for smtp traffic

Hi Alain,

Thanks for replying to my question.
>
> My understandin is:
> You are load balancing your outgoing traffic....

Yes, load balancing outgoing traffic
> >
> > route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> > route add $publicip1 gw $gw1
>
> You are trying to force the GW for smtpserver1, but ....
>
Yes, we are trying to the force the gateway for smtpserver1 and
smtpserver2 . As both the smtpservers will go through specified ISPs.

> > Some more iptables rules which ban sending mails from different
> > vlans/lans directly to public ips (both 1 and 2)
> > $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
> >
> >
> > $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
> >
> >
> > $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
> >
> >
> > Same rules we have for publicip2.
> >
> > But still we are not able to send emails from the $smtpserver running
> > in the local lan to outside. Our requirement is like this smtpserver1
> > which is running postfix should only send/receive emails through
> > publicip1 and smtpserver2 which is also running postfix should
> > sends/receive mails through publicip2.
> >
> > We are able to receive emails both the public ips on the respective
> > smtp servers but when we are sending emails to outside world it is
> > sometimes going through both the public ips from a single smtp server.
>
> ... it doesn't work.
>
> I had a similar problem.
> I have create rules in the mangle INPUT table to 'mark' packets , for example:
>
> 0 for packet that must be load balanced
> 1 for packet that must go through first ISP
> 2 .... for the second ISP
>
> Then in my routing rules, I use the mark to use one or another routing table.
>

Can you mail me an example that will be very helpful for me.


Thanks & Regards

Ankush
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-20-2008, 11:29 AM
"Alain Spineux"
 
Default need help in configuring iptables for smtp traffic

On Jan 20, 2008 9:54 AM, ankush grover <ankushcentos@gmail.com> wrote:
> Hi Alain,
>
> Thanks for replying to my question.
> >
> > My understandin is:
> > You are load balancing your outgoing traffic....
>
> Yes, load balancing outgoing traffic
> > >
> > > route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> > > route add $publicip1 gw $gw1
> >
> > You are trying to force the GW for smtpserver1, but ....
> >
> Yes, we are trying to the force the gateway for smtpserver1 and
> smtpserver2 . As both the smtpservers will go through specified ISPs.
>
> > > Some more iptables rules which ban sending mails from different
> > > vlans/lans directly to public ips (both 1 and 2)
> > > $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
> > >
> > >
> > > $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
> > >
> > >
> > > $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
> > >
> > >
> > > Same rules we have for publicip2.
> > >
> > > But still we are not able to send emails from the $smtpserver running
> > > in the local lan to outside. Our requirement is like this smtpserver1
> > > which is running postfix should only send/receive emails through
> > > publicip1 and smtpserver2 which is also running postfix should
> > > sends/receive mails through publicip2.
> > >
> > > We are able to receive emails both the public ips on the respective
> > > smtp servers but when we are sending emails to outside world it is
> > > sometimes going through both the public ips from a single smtp server.
> >
> > ... it doesn't work.
> >
> > I had a similar problem.
> > I have create rules in the mangle INPUT table to 'mark' packets , for example:
> >
> > 0 for packet that must be load balanced
> > 1 for packet that must go through first ISP
> > 2 .... for the second ISP
> >
> > Then in my routing rules, I use the mark to use one or another routing table.
> >
>
> Can you mail me an example that will be very helpful for me.

Sorry dont have these config anymore.

Here are some hint I can remember, (without looking the correct syntax
in the doc)

# create the routing tables
ip route add default gw dev eth1 table 1
ip route add default gw dev eth2 table 2

#redirect to the correct table regarding the mark
ip rule add mark 1 table 1
ip rule add mark 2 table 2

# to set the mark
iptables -t mangle -A PREROUTING $YOURCONDITION[1..n] -j MARK --set-mark [012]

I was not using dynamic balancing like you but static balancing
depending on the source IP.

Hope this help
regards






>
>
> Thanks & Regards
>
> Ankush
>



--
Alain Spineux
aspineux gmail com
May the sources be with you
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org