route outgoing smtp via a specific interface

route outgoing smtp via a specific interface

[Christer Ekholm]

I have two IP-providers. And the faster one of them blocks smtp. I
have been trying to route smtp to the slower while still routing
everything else to the faster, without success. Is it possible at all?


-- 
 Christer

Re: route outgoing smtp via a specific interface

[Antony Stone]

On Sunday 02 May 2004 11:50 pm, Christer Ekholm wrote:

> I have two IP-providers. And the faster one of them blocks smtp. I
> have been trying to route smtp to the slower while still routing
> everything else to the faster, without success. Is it possible at all?

IProute2, http://lartc.org

Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

Re: route outgoing smtp via a specific interface

[Christer Ekholm]

Antony Stone <Antony@Soft-Solutions.co.uk> writes:

> On Sunday 02 May 2004 11:50 pm, Christer Ekholm wrote:
>
>> I have two IP-providers. And the faster one of them blocks smtp. I
>> have been trying to route smtp to the slower while still routing
>> everything else to the faster, without success. Is it possible at all?
>
> IProute2, http://lartc.org

Thankyou for the answer. I have read that, and tried everything I
could think of.  I think my problem is that I need this to work from
the host with the connections to the providers. (localhost).

Here is an attempt to describe what I have tried.

This is my configuration:

/etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
1       bb
2       bost

Provider one (called bb - very fast)
$ip addr show eth0
2: eth0: <BROADCAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:a0:cc:59:e9:c0 brd ff:ff:ff:ff:ff:ff
    inet 213.113.148.180/26 brd 213.113.148.191 scope global eth0

Provider two (called bost - slow but permits smtp)
$ip addr show eth1
3: eth1: <BROADCAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:5a:1e:ab:3e brd ff:ff:ff:ff:ff:ff
    inet 217.215.183.181/24 brd 217.215.183.255 scope global eth1

I also have a local network (not relevant for my problem) (i think)
$ip addr show eth2
4: eth2: <BROADCAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:10:4b:cb:c2:c6 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth2
    

I have dedicated routing tables for each provider

$ip route show table bb
213.113.148.128/26 dev eth0  scope link  src 213.113.148.180 
192.168.1.0/24 dev eth2  scope link 
127.0.0.0/8 dev lo  scope link 
default via 213.113.148.129 dev eth0 

$ip route show table bost
217.215.183.0/24 dev eth1  scope link  src 217.215.183.181 
192.168.1.0/24 dev eth2  scope link 
127.0.0.0/8 dev lo  scope link 
default via 217.215.183.1 dev eth1  src 217.215.183.181 

And table main looks like this.
$ip route show table main
213.113.148.128/26 dev eth0  proto kernel  scope link  src 213.113.148.180 
217.215.183.0/24 dev eth1  proto kernel  scope link  src 217.215.183.181 
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.2 
default via 213.113.148.129 dev eth0 

And I have a set of rules also.
$ip rule show
0:      from all lookup local 
101:    from 213.113.148.180 lookup bb 
102:    from 217.215.183.181 lookup bost 
32766:  from all lookup main 
32767:  from all lookup default 


Now this works perfectly, if provider(bb) stops working, i can very
quickly switch provider by changing the defaultroute in table main.

Now over to my not-so-successful experiments. :(

I have tried using the 'mangle' chain to mark smtp-packets, and then
using a rule to route that to the other provider. like this:

iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 1
ip rule add prio 21 fwmark 1 table bost

The rules now looking like this:

$ip rule show
0:      from all lookup local 
21:     from all fwmark        1 lookup bost 
101:    from 213.113.148.180 lookup bb 
102:    from 217.215.183.181 lookup bost 
32766:  from all lookup main 
32767:  from all lookup default 

Then when I try it I get "No route to host".
$telnet vishnu.netfilter.org 25
Trying 213.95.27.115...
telnet: Unable to connect to remote host: No route to host

Next thing i tried was to add "nat" to the smtp-rule
$ip rule add prio 21 fwmark 1 table bost nat 217.215.183.181
$ip rule show
0:      from all lookup local 
21:     from all fwmark        1 lookup bost map-to 217.215.183.181 
101:    from 213.113.148.180 lookup bb 
102:    from 217.215.183.181 lookup bost 
32766:  from all lookup main 
32767:  from all lookup default 

Which got me one step further. The packets ar now detectable on
eth1. But still with the wrong source-address

tcpdump -n -i eth1 dst port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes
00:24:14.311433 IP 213.113.148.180.48829 > 213.95.27.115.25: SWE 3230509301:3230509301(0) win 5840 <mss 1460,sackOK,timestamp 68840162[|tcp]>
00:24:17.304696 IP 213.113.148.180.48829 > 213.95.27.115.25: SWE 3230509301:3230509301(0) win 5840 <mss 1460,sackOK,timestamp 68840462[|tcp]>
00:24:23.304827 IP 213.113.148.180.48829 > 213.95.27.115.25: SWE 3230509301:3230509301(0) win 5840 <mss 1460,sackOK,timestamp 68841062[|tcp]>

My next thought was to use iptables to add a SNAT rule. But SNAT is only
allowed in POSTROUTING, and I think I would need that in OUTPUT

--
 Christer

Re: route outgoing smtp via a specific interface

[Antony Stone]

On Monday 03 May 2004 12:25 am, Christer Ekholm wrote:

> Antony Stone <Antony@Soft-Solutions.co.uk> writes:
> > On Sunday 02 May 2004 11:50 pm, Christer Ekholm wrote:
> >> I have two IP-providers. And the faster one of them blocks smtp. I
> >> have been trying to route smtp to the slower while still routing
> >> everything else to the faster, without success. Is it possible at all?
> >
> > IProute2, http://lartc.org
>
> Thankyou for the answer. I have read that, and tried everything I
> could think of.

Ah.   Sorry if my previous response seemed a little terse - I did not realise 
you were aware of iproute2 and had tried so much of it already.

> I think my problem is that I need this to work from the host with the
> connections to the providers. (localhost).
>
> My next thought was to use iptables to add a SNAT rule. But SNAT is only
> allowed in POSTROUTING, and I think I would need that in OUTPUT

I would recommend that you do try such a rule, since POSTROUTING happens after 
OUTPUT (and FORWARD).

Try:

iptables -A POSTROUTING -t nat -p tcp --dport 25 -j SNAT --to 217.215.183.181

Regards,

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: route outgoing smtp via a specific interface

[Christer Ekholm]

Antony Stone <Antony@Soft-Solutions.co.uk> writes:

> Ah.   Sorry if my previous response seemed a little terse - I did not realise 
> you were aware of iproute2 and had tried so much of it already.

Don't be sorry, your assumption was perfectly valid.

>
>> I think my problem is that I need this to work from the host with the
>> connections to the providers. (localhost).
>>
>> My next thought was to use iptables to add a SNAT rule. But SNAT is only
>> allowed in POSTROUTING, and I think I would need that in OUTPUT
>
> I would recommend that you do try such a rule, since POSTROUTING happens after 
> OUTPUT (and FORWARD).
>
> Try:
>
> iptables -A POSTROUTING -t nat -p tcp --dport 25 -j SNAT --to 217.215.183.181
>

Ok, that almost makes it work. tcpdump shows the packets with the
correct sourceaddr, and I can see the returnpackets also. But they
doesn't seem to reach my telnet process, because it just sits waiting.

$telnet vishnu.netfilter.org 25
Trying 213.95.27.115...

tcpdump -n -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 68 bytes
02:16:07.089217 IP 217.215.183.181.48896 > 213.95.27.115.25: SWE 1634311290:1634311290(0) win 5840 <mss 1460,sackOK,timestamp 69511424[|tcp]>
02:16:07.145586 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573673968[|tcp]>
02:16:10.086584 IP 217.215.183.181.48896 > 213.95.27.115.25: SWE 1634311290:1634311290(0) win 5840 <mss 1460,sackOK,timestamp 69511724[|tcp]>
02:16:10.142648 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573674267[|tcp]>
02:16:11.144472 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573674368[|tcp]>
02:16:12.086600 arp who-has 217.215.183.1 tell 217.215.183.181
02:16:12.099187 arp reply 217.215.183.1 is-at 00:20:1a:06:d9:19
02:16:16.086737 IP 217.215.183.181.48896 > 213.95.27.115.25: SWE 1634311290:1634311290(0) win 5840 <mss 1460,sackOK,timestamp 69512324[|tcp]>
02:16:16.143331 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573674867[|tcp]>
02:16:17.145349 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573674968[|tcp]>
02:16:28.087024 IP 217.215.183.181.48896 > 213.95.27.115.25: SWE 1634311290:1634311290(0) win 5840 <mss 1460,sackOK,timestamp 69513524[|tcp]>
02:16:28.143251 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573676067[|tcp]>
02:16:29.146786 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573676168[|tcp]>
02:16:52.087641 IP 217.215.183.181.48896 > 213.95.27.115.25: SWE 1634311290:1634311290(0) win 5840 <mss 1460,sackOK,timestamp 69515924[|tcp]>
02:16:52.144701 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573678467[|tcp]>
02:16:53.150064 IP 213.95.27.115.25 > 217.215.183.181.48896: S 294755035:294755035(0) ack 1634311291 win 5792 <mss 1460,sackOK,timestamp 573678568[|tcp]>


--
 Christer

Re: route outgoing smtp via a specific interface

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 1295 bytes --]

On Mon, May 03, 2004 at 02:30:32AM +0200, Christer Ekholm wrote:
> Antony Stone <Antony@Soft-Solutions.co.uk> writes:
> 
> > Ah.   Sorry if my previous response seemed a little terse - I did not realise 
> > you were aware of iproute2 and had tried so much of it already.
> 
> Don't be sorry, your assumption was perfectly valid.
> 
> >
> >> I think my problem is that I need this to work from the host with the
> >> connections to the providers. (localhost).
> >>
> >> My next thought was to use iptables to add a SNAT rule. But SNAT is only
> >> allowed in POSTROUTING, and I think I would need that in OUTPUT
> >
> > I would recommend that you do try such a rule, since POSTROUTING happens after 
> > OUTPUT (and FORWARD).
> >
> > Try:
> >
> > iptables -A POSTROUTING -t nat -p tcp --dport 25 -j SNAT --to 217.215.183.181
> >
> 
> Ok, that almost makes it work. tcpdump shows the packets with the
> correct sourceaddr, and I can see the returnpackets also. But they
> doesn't seem to reach my telnet process, because it just sits waiting.
> 
> $telnet vishnu.netfilter.org 25
> Trying 213.95.27.115...

On a different thought can't you tell your mta to bind to a specific
interface or use a specific address ( I can with exim)

> 
> --
>  Christer
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: route outgoing smtp via a specific interface

[Christer Ekholm]

Alexander Samad <alex@samad.com.au> writes:

>
> On a different thought can't you tell your mta to bind to a specific
> interface or use a specific address ( I can with exim)

Thankyou!

The simple logical solution, which i was totally blind for. I just
need to have my postfix configured with:

smtp_bind_address = 217.215.183.181

I works!
And I don't have to do anything magical with routing or iptables.

--
 Christer

Re: route outgoing smtp via a specific interface

[Alexis]

yes it its.
you must use iproute2 and iptables with mark or just simple iproute2 (if
match conditions are enough) to achieve this
Just send a fast diagram of your network so we can help you with the rules.




----- Original Message ----- 
From: "Christer Ekholm" <chrekh@bredband.net>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, May 02, 2004 7:50 PM
Subject: route outgoing smtp via a specific interface


> I have two IP-providers. And the faster one of them blocks smtp. I
> have been trying to route smtp to the slower while still routing
> everything else to the faster, without success. Is it possible at all?
>
>
> -- 
>  Christer
>
>