LARTC - Jan 2004 - Problems with netfilter

Hi,

I have 2 internet connections (1 adsl/1 cable). I am try to route all
outgoing mail from the mail server (on the same box), through the ADSL
connection routing through the cable will mean mail will get rejected by AOL
:( I am using qmail as the mail server.

The configuration is:

eth0 : cable connection
ppp0 : adsl connection
eth2 : internal lan connection

I have configured split access as described in LARTC section 4.2.1, and that
is working fine, however, routing outgoing mail is proving to be elusive.

I have turned off reverse path filtering, and, have loaded probably every
netfilter related kernel module.

Here are some more information :

IPTABLES RULES (I did them for all interfaces to see if it worked - it
didnt.)

iptables -t mangle -A PREROUTING -p tcp -i eth0 --dport 25 -j
MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i eth1 --dport 25 -j
MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i eth2 --dport 25 -j
MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -i lo --dport 25 -j MARK --set-mark
1
iptables -t mangle -A PREROUTING -p tcp -i ppp0 --dport 25 -j
MARK --set-mark 1

iptables -L -v -t mangle

Chain PREROUTING (policy ACCEPT 89929 packets, 26M bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 MARK       tcp  --  eth0   any     anywhere             anywhere
tcp dpt:smtp MARK set 0x1
    0     0 MARK       tcp  --  eth1   any     anywhere             anywhere
tcp dpt:smtp MARK set 0x1
   11  1204 MARK       tcp  --  eth2   any     anywhere             anywhere
tcp dpt:smtp MARK set 0x1
   26  2152 MARK       tcp  --  lo     any     anywhere             anywhere
tcp dpt:smtp MARK set 0x1
    0     0 MARK       tcp  --  ppp0   any     anywhere             anywhere
tcp dpt:smtp MARK set 0x1

ip route show

yyy.yyy.yyy.yyy dev ppp0  proto kernel  scope link  src xxx.xxx.xxx.xxx
zzz.zzz.zzz.zzz dev eth0  scope link  src zzz.zzz.zzz.zzz
192.168.0.0/24 dev eth2  scope link
zzz.zzz.zzz.zzz/22 dev eth0  proto kernel  scope link  src zzz.zzz.zzz.zzz
127.0.0.0/8 dev lo  scope link
default via zzz.zzz.zzz.zzz dev eth0

ip rule show

0:      from all lookup local
32755:  from xxx.xxx.xxx.xxx lookup T2
32756:  from zzz.zzz.zzz.zzz lookup T1
32760:  from all fwmark 0x1 lookup mail
32766:  from all lookup main
32767:  from all lookup 253

ip route show table mail

default via xxx.xxx.xxx.xxx dev ppp0


I feel that I have tried everything to get this to work - read the archives,
googled, played with a million iptables rules, iproutes and loaded kernel
modules - but to no avail!

rtacct shows nothing.

Using mandrake 9.2 btw.

Please help!!!
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thu, 22 Jan 2004, Nikhil Jogia wrote:
> I have 2 internet connections (1 adsl/1 cable). I am try to route all
> outgoing mail from the mail server (on the same box), through the ADSL
> connection routing through the cable will mean mail will get rejected by
AOL
> :( I am using qmail as the mail server.
Have you tried binding the mail server to the ADSL IP address ?
> I feel that I have tried everything to get this to work - read the
archives,
> googled, played with a million iptables rules, iproutes and loaded kernel
> modules - but to no avail!
Are the FORWARD tables configured to ACCEPT the packets, either by default
policy or explicit rules  ?

One thing I feel is missing are POSTROUTING SNAT rules, so that if a
packet is going out to an interface with an IP source that is not its
address, it''s natted to the IP address. You should have two of that
rules,
one for the cable and for the ADSL.


Rubens


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

I have fixed half of the problem with:

iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 25
ip rule add fwmark 25 lookup mail
ip route add default via xxx.xxx.xxx.xxx dev ppp0 table mail

Running tcpdump it appears that port 25 traffic is be routed through the
ADSL connection. However, the source IP address appears to be the cable IP
address (cable is the default gateway). I have put SNAT rules in place,
however they don''t seem to work.

The SNAT rules I used were:

iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to yyy.yyy.yyy.yyy
and the same thing with the cable connection.

Rememeber, the packets are being generated locally through the mail server
(qmail).
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

> iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 25
> ip rule add fwmark 25 lookup mail
> ip route add default via xxx.xxx.xxx.xxx dev ppp0 table mail
>
> Running tcpdump it appears that port 25 traffic is be routed through the
> ADSL connection. However, the source IP address appears to be the cable IP
Correct routing is kinda odd in this case, as IPTABLES OUTPUT happens
after OUTPUT ROUTING, according to KPTD
(http://www.docum.org/stef.coene/qos/kptd).
> address (cable is the default gateway). I have put SNAT rules in place,
> however they don''t seem to work.
>
> The SNAT rules I used were:
>
> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to yyy.yyy.yyy.yyy
> and the same thing with the cable connection.
>
> Rememeber, the packets are being generated locally through the mail server
> (qmail).
IPTABLES POSTROUTING happens for both locally originated and forwarded
traffic (see KPTD); it should have worked.

Anyway, binding the mail server to the intended IP address (by adding it
to the tcpserver call) should also do this part of the job.

Rubens

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

PROBLEM SOLVED!

I didn''t have to bind the output to the mail server.

The problem was that I didn''t have a SNAT rule for eth0 (the network
interface attached to the ADSL modem).

Thank god for that!


> iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 25
> ip rule add fwmark 25 lookup mail
> ip route add default via xxx.xxx.xxx.xxx dev ppp0 table mail
>
> Running tcpdump it appears that port 25 traffic is be routed through the
> ADSL connection. However, the source IP address appears to be the cable IP
Correct routing is kinda odd in this case, as IPTABLES OUTPUT happens
after OUTPUT ROUTING, according to KPTD
(http://www.docum.org/stef.coene/qos/kptd).
> address (cable is the default gateway). I have put SNAT rules in place,
> however they don''t seem to work.
>
> The SNAT rules I used were:
>
> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to yyy.yyy.yyy.yyy
> and the same thing with the cable connection.
>
> Rememeber, the packets are being generated locally through the mail server
> (qmail).
IPTABLES POSTROUTING happens for both locally originated and forwarded
traffic (see KPTD); it should have worked.

Anyway, binding the mail server to the intended IP address (by adding it
to the tcpserver call) should also do this part of the job.

Rubens


---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.563 / Virus Database: 355 - Release Date: 17/01/2004

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/