Shorewall users - Jul 2007 - MultiISP & SMTP-Relay, forcing SMTP from $FW to specific ISP

Hello,

I have successfully installed and configured a multi ISP environment 
based on Shorewall 3.4.3. I achieved this pretty much exaclty like 
explained in the related documentation 
(http://www.shorewall.net/MultiISP.html). Everything is working fine, I 
am using the ''track'' option.

In addition to shorewall there is a SMTP relaying deamon running on the 
same machine. Mails transfered to ''net'' will be relayed by
''$FW''.

Due to some reverse DNS checks of some outside mail servers, now I have 
to ensure that all outgoing SMTP traffic is routed through a specific 
ISP (the one with the registered public IPs for the domain). 
Unfortunately I was not able to find a way to do this. The mentioned 
example in MultiISP.html does not work in my case because the traffics 
source is ''$FW'' where the ''P'' chain can not
be used:
>
> Now suppose that you want to route all outgoing SMTP traffic from your 
> local network through ISP 2. You would make this entry in 
> /etc/shorewall/tcrules
<http://www1.shorewall.net/traffic_shaping.htm>
> (and if you are running a version of Shorewall earlier than 3.0.0, you 
> would set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
> <http://www1.shorewall.net/MultiISP.html???>).
>
> #MARK           SOURCE          DEST            PROTO   PORT(S) 
> CLIENT  USER    TEST
> #                                                               PORT(S)
> 2:P             <local network> 0.0.0.0/0       tcp     25
How can I achive that SMTP generated by $FW is routed through a 
particular ISP?

Bodo

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Bodo Huber wrote:
> Hello,
> 
> I have successfully installed and configured a multi ISP environment 
> based on Shorewall 3.4.3. I achieved this pretty much exaclty like 
> explained in the related documentation 
> (http://www.shorewall.net/MultiISP.html). Everything is working fine, I 
> am using the ''track'' option.
> 
> In addition to shorewall there is a SMTP relaying deamon running on the 
> same machine. Mails transfered to ''net'' will be relayed
by ''$FW''.
> 
You need to mark the traffic from the firewall.
> Due to some reverse DNS checks of some outside mail servers, now I have 
> to ensure that all outgoing SMTP traffic is routed through a specific 
> ISP (the one with the registered public IPs for the domain). 
> Unfortunately I was not able to find a way to do this. The mentioned 
> example in MultiISP.html does not work in my case because the traffics 
> source is ''$FW'' where the ''P'' chain can
not be used:
>> Now suppose that you want to route all outgoing SMTP traffic from your 
>> local network through ISP 2. You would make this entry in 
>> /etc/shorewall/tcrules
<http://www1.shorewall.net/traffic_shaping.htm>
>> (and if you are running a version of Shorewall earlier than 3.0.0, you 
>> would set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf 
>> <http://www1.shorewall.net/MultiISP.html???>).
>>
>> #MARK           SOURCE          DEST            PROTO   PORT(S) 
>> CLIENT  USER    TEST
>> #                                                               PORT(S)
>> 2:P             <local network> 0.0.0.0/0       tcp     25
> How can I achive that SMTP generated by $FW is routed through a 
> particular ISP?
> 

Hi:

Just drop the :P part, then the outbound traffic from the firewall is
marked in the tcout chain. Something like this should work:

2	$FW	0.0.0.0/0       tcp     25

Make sure you have the recommended entries in the masq file

Jerry

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jerry Vonau wrote:
> 
> You need to mark the traffic from the firewall.
> 
> Just drop the :P part, then the outbound traffic from the firewall is
> marked in the tcout chain. Something like this should work:
> 
> 2	$FW	0.0.0.0/0       tcp     25
> 
> Make sure you have the recommended entries in the masq file
An alternative is to configure the SMTP relay so that it binds to the
proper local address for sending.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/