[CentOS] need help in configuring iptables for smtp traffic

Fri Jan 18 12:45:01 UTC 2008
Alain Spineux <aspineux at gmail.com>

On Jan 17, 2008 5:41 PM, ankush grover <ankushcentos at gmail.com> wrote:
> Hi Friends,
>
>
> I am running Centos 5 64-bit on a Dell sever. I am trying to configure
> iptables for smtp traffic for which I need some help/guidance.
>
> The scenario is like this:
>
>  On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN
> IP(eth0). 2 public IPs are from the same service provider and 1 is
> from different service provider. eth3 and eth2 are from the same
> public provider but currently we are using only eth2 public ip There
> is a script which load balances the Internet Connection to both the
> Service providers through ip rule
>
>
> ip rule add from $publicip1 table 1
> ip rule add from $publicip2 table 2
>
> ip route add default scope global nexthop via $publicip1 dev eth1
> weight 2 nexthop via $publicip2 dev eth2 weight 6

My understandin is:
You are load balancing your outgoing traffic....

>
> The problem we are facing is that we have 2 mx exchangers in our
> domain. Both the exchangers receives/sends the mails from the public
> ip like
>
> mx1 will receive/sends mails through eth1  (another service provider)
> mx2 will receive/sends mails through eth2  (another service provider)
>
>
> Accepting mails from public ip
> iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT \
>
>
>
> Natting rules
> iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25   -j ACCEPT \
>
> iptables -t nat -A PREROUTING  -d $publicip1 -p tcp --dport 25 -j DNAT
> --to $smtpserver1:25 \
>
>
> Sending mails from smtpserver1 to publicip1
>
> iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT
> --to-source $publicip1
>
> route add $smtpserver1 netmask 255.255.255.255 gw $publicip1
> route add  $publicip1 gw $gw1

You are trying to force the GW for smtpserver1, but ....

>
>
> Some more iptables rules which ban sending mails from different
> vlans/lans directly to public ips (both 1 and 2)
> $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP \
>
>
> $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP \
>
>
> $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP \
>
>
> Same rules we have for publicip2.
>
> But still we are not able to send emails from the $smtpserver running
> in the local lan to outside. Our requirement is like this smtpserver1
> which is running postfix should only send/receive emails through
> publicip1 and smtpserver2 which is also running postfix should
> sends/receive mails through publicip2.
>
> We are able to receive emails both the public ips on the respective
> smtp servers but when we are sending emails to outside world it is
> sometimes going through both the public ips from a single smtp server.

... it doesn't work.

I had a similar problem.
I have create rules in the mangle INPUT table to 'mark' packets , for  example:

0 for packet that must be load balanced
1 for packet that must go through first ISP
2 .... for the second ISP

Then in my routing rules, I use the mark to use one or another routing table.

Regards

>
>
> Any suggestions/comments are most welcome
>
>
> Thanks & Regards
>
> Ankush Grover
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Alain Spineux
aspineux gmail com
May the sources be with you