CentOS - Jan 2008 - need help in configuring iptables for smtp traffic

Hi Friends,


I am running Centos 5 64-bit on a Dell sever. I am trying to configure
iptables for smtp traffic for which I need some help/guidance.

The scenario is like this:

 On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
IP(eth0). 2 public IPs are from the same service provider and 1 is
from different service provider. eth3 and eth2 are from the same
public provider but currently we are using only eth2 public ip There
is a script which load balances the Internet Connection to both the
Service providers through ip rule


ip rule add from $publicip1 table 1
ip rule add from $publicip2 table 2

ip route add default scope global nexthop via $publicip1 dev eth1
weight 2 nexthop via $publicip2 dev eth2 weight 6

The problem we are facing is that we have 2 mx exchangers in our
domain. Both the exchangers receives/sends the mails from the public
ip like

mx1 will receive/sends mails through eth1  (another service provider)
mx2 will receive/sends mails through eth2  (another service provider)


Accepting mails from public ip
iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT \



Natting rules
iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25   -j ACCEPT \

iptables -t nat -A PREROUTING  -d $publicip1 -p tcp --dport 25 -j DNAT
--to $smtpserver1:25 \


Sending mails from smtpserver1 to publicip1

iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT
--to-source $publicip1

route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
route add  $publicip1 gw $gw1


Some more iptables rules which ban sending mails from different
vlans/lans directly to public ips (both 1 and 2)
$IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP \


$IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP \


$IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP \


Same rules we have for publicip2.

But still we are not able to send emails from the $smtpserver running
in the local lan to outside. Our requirement is like this smtpserver1
which is running postfix should only send/receive emails through
publicip1 and smtpserver2 which is also running postfix should
sends/receive mails through publicip2.

We are able to receive emails both the public ips on the respective
smtp servers but when we are sending emails to outside world it is
sometimes going through both the public ips from a single smtp server.


Any suggestions/comments are most welcome


Thanks & Regards

Ankush Grover

On Jan 17, 2008 5:41 PM, ankush grover <ankushcentos at gmail.com>
wrote:
> Hi Friends,
>
>
> I am running Centos 5 64-bit on a Dell sever. I am trying to configure
> iptables for smtp traffic for which I need some help/guidance.
>
> The scenario is like this:
>
>  On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
> IP(eth0). 2 public IPs are from the same service provider and 1 is
> from different service provider. eth3 and eth2 are from the same
> public provider but currently we are using only eth2 public ip There
> is a script which load balances the Internet Connection to both the
> Service providers through ip rule
>
>
> ip rule add from $publicip1 table 1
> ip rule add from $publicip2 table 2
>
> ip route add default scope global nexthop via $publicip1 dev eth1
> weight 2 nexthop via $publicip2 dev eth2 weight 6
My understandin is:
You are load balancing your outgoing traffic....
>
> The problem we are facing is that we have 2 mx exchangers in our
> domain. Both the exchangers receives/sends the mails from the public
> ip like
>
> mx1 will receive/sends mails through eth1  (another service provider)
> mx2 will receive/sends mails through eth2  (another service provider)
>
>
> Accepting mails from public ip
> iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT \
>
>
>
> Natting rules
> iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25   -j ACCEPT \
>
> iptables -t nat -A PREROUTING  -d $publicip1 -p tcp --dport 25 -j DNAT
> --to $smtpserver1:25 \
>
>
> Sending mails from smtpserver1 to publicip1
>
> iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT
> --to-source $publicip1
>
> route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> route add  $publicip1 gw $gw1
You are trying to force the GW for smtpserver1, but ....
>
>
> Some more iptables rules which ban sending mails from different
> vlans/lans directly to public ips (both 1 and 2)
> $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP \
>
>
> $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP \
>
>
> $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP \
>
>
> Same rules we have for publicip2.
>
> But still we are not able to send emails from the $smtpserver running
> in the local lan to outside. Our requirement is like this smtpserver1
> which is running postfix should only send/receive emails through
> publicip1 and smtpserver2 which is also running postfix should
> sends/receive mails through publicip2.
>
> We are able to receive emails both the public ips on the respective
> smtp servers but when we are sending emails to outside world it is
> sometimes going through both the public ips from a single smtp server.
... it doesn't work.

I had a similar problem.
I have create rules in the mangle INPUT table to 'mark' packets , for 
example:

0 for packet that must be load balanced
1 for packet that must go through first ISP
2 .... for the second ISP

Then in my routing rules, I use the mark to use one or another routing table.

Regards
>
>
> Any suggestions/comments are most welcome
>
>
> Thanks & Regards
>
> Ankush Grover
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
Alain Spineux
aspineux gmail com
May the sources be with you