On Jan 17, 2008 5:41 PM, ankush grover <ankushcentos at gmail.com> wrote: > Hi Friends, > > > I am running Centos 5 64-bit on a Dell sever. I am trying to configure > iptables for smtp traffic for which I need some help/guidance. > > The scenario is like this: > > On a linux box we have 3 public ips(eth1,eth2 and eth3) and 1 LAN > IP(eth0). 2 public IPs are from the same service provider and 1 is > from different service provider. eth3 and eth2 are from the same > public provider but currently we are using only eth2 public ip There > is a script which load balances the Internet Connection to both the > Service providers through ip rule > > > ip rule add from $publicip1 table 1 > ip rule add from $publicip2 table 2 > > ip route add default scope global nexthop via $publicip1 dev eth1 > weight 2 nexthop via $publicip2 dev eth2 weight 6 My understandin is: You are load balancing your outgoing traffic.... > > The problem we are facing is that we have 2 mx exchangers in our > domain. Both the exchangers receives/sends the mails from the public > ip like > > mx1 will receive/sends mails through eth1 (another service provider) > mx2 will receive/sends mails through eth2 (another service provider) > > > Accepting mails from public ip > iptables -A INPUT -p tcp -d $publicip1 --dport 25 -j ACCEPT \ > > > > Natting rules > iptables -A FORWARD -p tcp -d $smtpserver1 --dport 25 -j ACCEPT \ > > iptables -t nat -A PREROUTING -d $publicip1 -p tcp --dport 25 -j DNAT > --to $smtpserver1:25 \ > > > Sending mails from smtpserver1 to publicip1 > > iptables -t nat -A POSTROUTING -s $smtpserver1 -d 0/0 -o eth1 -j SNAT > --to-source $publicip1 > > route add $smtpserver1 netmask 255.255.255.255 gw $publicip1 > route add $publicip1 gw $gw1 You are trying to force the GW for smtpserver1, but .... > > > Some more iptables rules which ban sending mails from different > vlans/lans directly to public ips (both 1 and 2) > $IPTABLES -A INPUT -p tcp -s $lan1 -d $publicip1 --dport $SMTP -j DROP \ > > > $IPTABLES -A INPUT -p tcp -s $lan2 -d $publicip1 --dport $SMTP -j DROP \ > > > $IPTABLES -A INPUT -p tcp -s $lan3 -d $publicip1 --dport $SMTP -j DROP \ > > > Same rules we have for publicip2. > > But still we are not able to send emails from the $smtpserver running > in the local lan to outside. Our requirement is like this smtpserver1 > which is running postfix should only send/receive emails through > publicip1 and smtpserver2 which is also running postfix should > sends/receive mails through publicip2. > > We are able to receive emails both the public ips on the respective > smtp servers but when we are sending emails to outside world it is > sometimes going through both the public ips from a single smtp server. ... it doesn't work. I had a similar problem. I have create rules in the mangle INPUT table to 'mark' packets , for example: 0 for packet that must be load balanced 1 for packet that must go through first ISP 2 .... for the second ISP Then in my routing rules, I use the mark to use one or another routing table. Regards > > > Any suggestions/comments are most welcome > > > Thanks & Regards > > Ankush Grover > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Alain Spineux aspineux gmail com May the sources be with you