need help in configuring iptables for smtp traffic
Hi Friends,
I am running fedora core 5 64-bit on a Dell sever. I am trying to configure iptables for smtp traffic for which I need some help/guidance.
The scenario is like this:
*On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN IP(eth0). 2 public IPs are from the same service provider and 1 is from different service provider. eth3 and eth2 are from the same public provider but currently we are using only eth2 public ip There is a script which load balances the Internet Connection to both the Service providers through ip rule
ip rule add from $publicip1 table 1
ip rule add from $publicip2 table 2
ip route add default scope global nexthop via $publicip1 dev eth1 weight 2 nexthop via $publicip2 dev eth2 weight 6
The problem we are facing is that we have 2 mx exchangers in our domain. Both the exchangers receives/sends the mails from the public ip like
mx1 will receive/sends mails through eth1* (another service provider)
mx2 will receive/sends mails through eth2* (another service provider)
*
Accepting mails from public ip
iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT
Some more iptables rules which ban sending mails from different vlans/lans directly to public ips (both 1 and 2)
$IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
$IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
$IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip3 --dport $SMTP -j DROP
Same rules we have for publicip2.
But still we are not able to send emails from the $smtpserver running in the local lan to outside. Our requirement is like this smtpserver1 which is running postfix should only send/receive emails through publicip1 and smtpserver2 which is also running postfix should sends/receive mails through publicip2.
We are able to receive emails both the public ips on the respective smtp servers but when we are sending emails to outside world it is sometimes going through both the public ips from a single smtp server.
Any suggestions/comments are most welcome
Thanks & Regards
Ankush Grover
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-17-2008, 03:41 PM
"ankush grover"
need help in configuring iptables for smtp traffic
Hi Friends,
I am running Centos 5 64-bit on a Dell sever. I am trying to configure
iptables for smtp traffic for which I need some help/guidance.
The scenario is like this:
On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
IP(eth0). 2 public IPs are from the same service provider and 1 is
from different service provider. eth3 and eth2 are from the same
public provider but currently we are using only eth2 public ip There
is a script which load balances the Internet Connection to both the
Service providers through ip rule
ip rule add from $publicip1 table 1
ip rule add from $publicip2 table 2
ip route add default scope global nexthop via $publicip1 dev eth1
weight 2 nexthop via $publicip2 dev eth2 weight 6
The problem we are facing is that we have 2 mx exchangers in our
domain. Both the exchangers receives/sends the mails from the public
ip like
mx1 will receive/sends mails through eth1 (another service provider)
mx2 will receive/sends mails through eth2 (another service provider)
Accepting mails from public ip
iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT
Some more iptables rules which ban sending mails from different
vlans/lans directly to public ips (both 1 and 2)
$IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
$IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
$IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
Same rules we have for publicip2.
But still we are not able to send emails from the $smtpserver running
in the local lan to outside. Our requirement is like this smtpserver1
which is running postfix should only send/receive emails through
publicip1 and smtpserver2 which is also running postfix should
sends/receive mails through publicip2.
We are able to receive emails both the public ips on the respective
smtp servers but when we are sending emails to outside world it is
sometimes going through both the public ips from a single smtp server.
Any suggestions/comments are most welcome
Thanks & Regards
Ankush Grover
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
01-17-2008, 11:17 PM
John Summerfield
need help in configuring iptables for smtp traffic
ankush grover wrote:
Any suggestions/comments are most welcome
1. Post in plain text only.
2. Install and configure shorewall; your firewall rules are way too
complicated for my feeble brain. OTOH my firewall rules, done in
shorewall, is way more complicated than yours.
The shorewall website has its own list for those needing help, and the
docs on the website are quite good.
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-18-2008, 11:45 AM
"Alain Spineux"
need help in configuring iptables for smtp traffic
On Jan 17, 2008 5:41 PM, ankush grover <ankushcentos@gmail.com> wrote:
> Hi Friends,
>
>
> I am running Centos 5 64-bit on a Dell sever. I am trying to configure
> iptables for smtp traffic for which I need some help/guidance.
>
> The scenario is like this:
>
> On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
> IP(eth0). 2 public IPs are from the same service provider and 1 is
> from different service provider. eth3 and eth2 are from the same
> public provider but currently we are using only eth2 public ip There
> is a script which load balances the Internet Connection to both the
> Service providers through ip rule
>
>
> ip rule add from $publicip1 table 1
> ip rule add from $publicip2 table 2
>
> ip route add default scope global nexthop via $publicip1 dev eth1
> weight 2 nexthop via $publicip2 dev eth2 weight 6
My understandin is:
You are load balancing your outgoing traffic....
>
> The problem we are facing is that we have 2 mx exchangers in our
> domain. Both the exchangers receives/sends the mails from the public
> ip like
>
> mx1 will receive/sends mails through eth1 (another service provider)
> mx2 will receive/sends mails through eth2 (another service provider)
>
>
> Accepting mails from public ip
> iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT
>
>
>
> Natting rules
> iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25 -j ACCEPT
>
> iptables -t nat -A PREROUTING -d $publicip1 -p tcp --dport 25 -j DNAT
> --to $smtpserver1:25
>
>
> Sending mails from smtpserver1 to publicip1
>
> iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT
> --to-source $publicip1
>
> route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> route add $publicip1 gw $gw1
You are trying to force the GW for smtpserver1, but ....
>
>
> Some more iptables rules which ban sending mails from different
> vlans/lans directly to public ips (both 1 and 2)
> $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
>
>
> $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
>
>
> $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
>
>
> Same rules we have for publicip2.
>
> But still we are not able to send emails from the $smtpserver running
> in the local lan to outside. Our requirement is like this smtpserver1
> which is running postfix should only send/receive emails through
> publicip1 and smtpserver2 which is also running postfix should
> sends/receive mails through publicip2.
>
> We are able to receive emails both the public ips on the respective
> smtp servers but when we are sending emails to outside world it is
> sometimes going through both the public ips from a single smtp server.
... it doesn't work.
I had a similar problem.
I have create rules in the mangle INPUT table to 'mark' packets , for example:
0 for packet that must be load balanced
1 for packet that must go through first ISP
2 .... for the second ISP
Then in my routing rules, I use the mark to use one or another routing table.
Regards
>
>
> Any suggestions/comments are most welcome
>
>
> Thanks & Regards
>
> Ankush Grover
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
--
Alain Spineux
aspineux gmail com
May the sources be with you
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
01-20-2008, 07:54 AM
"ankush grover"
need help in configuring iptables for smtp traffic
Hi Alain,
Thanks for replying to my question.
>
> My understandin is:
> You are load balancing your outgoing traffic....
Yes, load balancing outgoing traffic
> >
> > route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> > route add $publicip1 gw $gw1
>
> You are trying to force the GW for smtpserver1, but ....
>
Yes, we are trying to the force the gateway for smtpserver1 and
smtpserver2 . As both the smtpservers will go through specified ISPs.
> > Some more iptables rules which ban sending mails from different
> > vlans/lans directly to public ips (both 1 and 2)
> > $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
> >
> >
> > $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
> >
> >
> > $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
> >
> >
> > Same rules we have for publicip2.
> >
> > But still we are not able to send emails from the $smtpserver running
> > in the local lan to outside. Our requirement is like this smtpserver1
> > which is running postfix should only send/receive emails through
> > publicip1 and smtpserver2 which is also running postfix should
> > sends/receive mails through publicip2.
> >
> > We are able to receive emails both the public ips on the respective
> > smtp servers but when we are sending emails to outside world it is
> > sometimes going through both the public ips from a single smtp server.
>
> ... it doesn't work.
>
> I had a similar problem.
> I have create rules in the mangle INPUT table to 'mark' packets , for example:
>
> 0 for packet that must be load balanced
> 1 for packet that must go through first ISP
> 2 .... for the second ISP
>
> Then in my routing rules, I use the mark to use one or another routing table.
>
Can you mail me an example that will be very helpful for me.
Thanks & Regards
Ankush
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
01-20-2008, 11:29 AM
"Alain Spineux"
need help in configuring iptables for smtp traffic
On Jan 20, 2008 9:54 AM, ankush grover <ankushcentos@gmail.com> wrote:
> Hi Alain,
>
> Thanks for replying to my question.
> >
> > My understandin is:
> > You are load balancing your outgoing traffic....
>
> Yes, load balancing outgoing traffic
> > >
> > > route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> > > route add $publicip1 gw $gw1
> >
> > You are trying to force the GW for smtpserver1, but ....
> >
> Yes, we are trying to the force the gateway for smtpserver1 and
> smtpserver2 . As both the smtpservers will go through specified ISPs.
>
> > > Some more iptables rules which ban sending mails from different
> > > vlans/lans directly to public ips (both 1 and 2)
> > > $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP
> > >
> > >
> > > $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP
> > >
> > >
> > > $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP
> > >
> > >
> > > Same rules we have for publicip2.
> > >
> > > But still we are not able to send emails from the $smtpserver running
> > > in the local lan to outside. Our requirement is like this smtpserver1
> > > which is running postfix should only send/receive emails through
> > > publicip1 and smtpserver2 which is also running postfix should
> > > sends/receive mails through publicip2.
> > >
> > > We are able to receive emails both the public ips on the respective
> > > smtp servers but when we are sending emails to outside world it is
> > > sometimes going through both the public ips from a single smtp server.
> >
> > ... it doesn't work.
> >
> > I had a similar problem.
> > I have create rules in the mangle INPUT table to 'mark' packets , for example:
> >
> > 0 for packet that must be load balanced
> > 1 for packet that must go through first ISP
> > 2 .... for the second ISP
> >
> > Then in my routing rules, I use the mark to use one or another routing table.
> >
>
> Can you mail me an example that will be very helpful for me.
Sorry dont have these config anymore.
Here are some hint I can remember, (without looking the correct syntax
in the doc)
# create the routing tables
ip route add default gw dev eth1 table 1
ip route add default gw dev eth2 table 2
#redirect to the correct table regarding the mark
ip rule add mark 1 table 1
ip rule add mark 2 table 2
# to set the mark
iptables -t mangle -A PREROUTING $YOURCONDITION[1..n] -j MARK --set-mark [012]
I was not using dynamic balancing like you but static balancing
depending on the source IP.
Hope this help
regards
>
>
> Thanks & Regards
>
> Ankush
>
--
Alain Spineux
aspineux gmail com
May the sources be with you
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
need help in configuring iptables for smtp traffic
