Redirecting outgoing SMTP from LAN to another LAN server

Redirecting outgoing SMTP from LAN to another LAN server

[Gavin Hamill]

Hullo :)

I'd like to do $SUBJECT, but after much playing with commands like

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to 10.0.0.253:25

I have given up and have come to you fine people for help...

My LAN is on eth1, with WAN on eth0. The gateway machine is 10.0.0.254 doing masq for 
LAN clients, but I'd like to send any outgoing SMTP connections to 10.0.0.253 - alas 
any time I've tried, I just end up killing ALL outgoing SMTP :(

Any suggestions warmly received!

Cheers,
Gavin.

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 791 bytes --]

On Thu, Apr 29, 2004 at 10:59:49AM +0100, Gavin Hamill wrote:
> Hullo :)
> 
> I'd like to do $SUBJECT, but after much playing with commands like
> 
> iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to 10.0.0.253:25

what about 

iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253  --dport 25 -j DNAT --to 10.0.0.253:25

I presume 10.0.0.253 is also on eth1.

> 
> I have given up and have come to you fine people for help...
> 
> My LAN is on eth1, with WAN on eth0. The gateway machine is 10.0.0.254 doing masq for 
> LAN clients, but I'd like to send any outgoing SMTP connections to 10.0.0.253 - alas 
> any time I've tried, I just end up killing ALL outgoing SMTP :(
> 
> Any suggestions warmly received!
> 
> Cheers,
> Gavin.
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 2029 bytes --]

On Thu, Apr 29, 2004 at 11:37:57PM +1000, Alexander Samad told us:
> On Thu, Apr 29, 2004 at 10:59:49AM +0100, Gavin Hamill wrote:
> > Hullo :)
> > 
> > I'd like to do $SUBJECT, but after much playing with commands like
> > 
> > iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to 10.0.0.253:25
> 
> what about 
> 
> iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253  --dport 25 -j DNAT --to 10.0.0.253:25
> 
> I presume 10.0.0.253 is also on eth1.
> 

The problem here might be that both the client and the server are on 
the same physical network. This means

So assume we have a client (10.0.0.1) which wants to connect to a
mail server (12.34.56.78) on the internet. So you DNAT the request to
your internal mail server 10.0.0.253 at the firewall. Your internal
mail server gets the request but will try to directly talk to the
client, as in the packet the sender is still the original ip adress.
(sorry if this is hard to understand, I'm not really good in 
explaining things :) So you will additionally need a SNAT rule on
your firewall, something like

iptables -t nat -A POSTROUTING -p tcp -i eth1 -s 10.0.0.0/8 \
   -d 10.0.0.253 --dport 25 -j SNAT --to 10.0.0.xx:25

where xx would be the ip of your firewall. Now both the packets
from the client to the server and the returning packets from the
server to the client will travel through your firewall.


HTH

Sven

> 

> > 
> > I have given up and have come to you fine people for help...
> > 
> > My LAN is on eth1, with WAN on eth0. The gateway machine is 10.0.0.254 doing masq for 
> > LAN clients, but I'd like to send any outgoing SMTP connections to 10.0.0.253 - alas 
> > any time I've tried, I just end up killing ALL outgoing SMTP :(
> > 
> > Any suggestions warmly received!
> > 
> > Cheers,
> > Gavin.
> > 
> > 



-- 
Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux
 16:37:12  up 8 days, 21:26,  1 user,  load average: 0.01, 0.01, 0.00

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 2244 bytes --]

On Thu, Apr 29, 2004 at 04:47:57PM +0200, Sven Schuster wrote:
> On Thu, Apr 29, 2004 at 11:37:57PM +1000, Alexander Samad told us:
> > On Thu, Apr 29, 2004 at 10:59:49AM +0100, Gavin Hamill wrote:
> > > Hullo :)
> > > 
> > > I'd like to do $SUBJECT, but after much playing with commands like
> > > 
> > > iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to 10.0.0.253:25
> > 
> > what about 
> > 
> > iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253  --dport 25 -j DNAT --to 10.0.0.253:25
> > 
> > I presume 10.0.0.253 is also on eth1.
> > 
> 
> The problem here might be that both the client and the server are on 
> the same physical network. This means
> 
> So assume we have a client (10.0.0.1) which wants to connect to a
> mail server (12.34.56.78) on the internet. So you DNAT the request to
> your internal mail server 10.0.0.253 at the firewall. Your internal
> mail server gets the request but will try to directly talk to the
> client, as in the packet the sender is still the original ip adress.
> (sorry if this is hard to understand, I'm not really good in 
> explaining things :) So you will additionally need a SNAT rule on
> your firewall, something like
> 
> iptables -t nat -A POSTROUTING -p tcp -i eth1 -s 10.0.0.0/8 \
>    -d 10.0.0.253 --dport 25 -j SNAT --to 10.0.0.xx:25

yeap, forgot about that
> 
> where xx would be the ip of your firewall. Now both the packets
> from the client to the server and the returning packets from the
> server to the client will travel through your firewall.
> 
> 
> HTH
> 
> Sven
> 
> > 
> 
> > > 
> > > I have given up and have come to you fine people for help...
> > > 
> > > My LAN is on eth1, with WAN on eth0. The gateway machine is 10.0.0.254 doing masq for 
> > > LAN clients, but I'd like to send any outgoing SMTP connections to 10.0.0.253 - alas 
> > > any time I've tried, I just end up killing ALL outgoing SMTP :(
> > > 
> > > Any suggestions warmly received!
> > > 
> > > Cheers,
> > > Gavin.
> > > 
> > > 
> 
> 
> 
> -- 
> Linux zion 2.6.6-rc1 #1 Sat Apr 17 11:50:12 CEST 2004 i686 athlon i386 GNU/Linux
>  16:37:12  up 8 days, 21:26,  1 user,  load average: 0.01, 0.01, 0.00



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Gavin Hamill]

On Thursday 29 April 2004 15:47, Sven Schuster wrote:

>
> iptables -t nat -A POSTROUTING -p tcp -i eth1 -s 10.0.0.0/8 \
>    -d 10.0.0.253 --dport 25 -j SNAT --to 10.0.0.xx:25
>
> where xx would be the ip of your firewall. Now both the packets
> from the client to the server and the returning packets from the
> server to the client will travel through your firewall.

Thanks for the reply - the explanation sounds right, and I think I understand 
what's going on now - I won't be able to test the theory out until next week 
- I just didn't want to seem rude by staying silent to date :)

Cheers,
Gavin.

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Gavin Hamill]

On Thursday 29 April 2004 15:47, Sven Schuster wrote:

>So you will additionally need a SNAT rule on
> your firewall, something like
>
> iptables -t nat -A POSTROUTING -p tcp -i eth1 -s 10.0.0.0/8 \
>    -d 10.0.0.253 --dport 25 -j SNAT --to 10.0.0.xx:25
>
> where xx would be the ip of your firewall. Now both the packets
> from the client to the server and the returning packets from the
> server to the client will travel through your firewall.

This is just a final followup to say thanks for the advice, and to report on 
the final solution.

eth0 is the 0utside, and eth1 is the 1nside (that's what I use to stop 
confusing myself...) and 10.0.0.254 is the firewall and default gateway for 
all LAN machines 

$ iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253 --dport 25 -j 
DNAT --to 10.0.0.253:25
$ iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.0/24 -d 10.0.0.253 --dport 
25 -j SNAT --to 10.0.0.254

This way, LAN users trying to connect directly to an external mail server get 
sent to the MTA on 10.0.0.253, and 10.0.0.253 itself still has full access to 
'real' port 25 in order that it can deliver mails! :)

Cheers,
Gavin.

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Antony Stone]

On Thursday 13 May 2004 1:46 pm, Gavin Hamill wrote:

> This is just a final followup to say thanks for the advice, and to report
> on the final solution.
>
> eth0 is the 0utside, and eth1 is the 1nside (that's what I use to stop
> confusing myself...) and 10.0.0.254 is the firewall and default gateway for
> all LAN machines
>
> $ iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253 --dport 25
> -j DNAT --to 10.0.0.253:25
> $ iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.0/24 -d 10.0.0.253
> --dport 25 -j SNAT --to 10.0.0.254
>
> This way, LAN users trying to connect directly to an external mail server
> get sent to the MTA on 10.0.0.253, and 10.0.0.253 itself still has full
> access to 'real' port 25 in order that it can deliver mails! :)
>
> Cheers,
> Gavin.

I'd just like to say that it's very nice to see a posting like this here, 
showing the working solution (together with an explanation of why it works, 
and exactly what it does), since this sort of thing is very useful to people 
searching the archives in future.

Find a working solution which someone has bothered to document is much more 
helpful than finding someone with a similar problem, and having to go through 
half the same effort of solving it, so thanks Gavin for providing this info.

Regards,

Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Micha Silver]

Antony Stone wrote:
> On Thursday 13 May 2004 1:46 pm, Gavin Hamill wrote:
> 
> 
>>This is just a final followup to say thanks for the advice, and to report
>>on the final solution.
>>
>>eth0 is the 0utside, and eth1 is the 1nside (that's what I use to stop
>>confusing myself...) and 10.0.0.254 is the firewall and default gateway for
>>all LAN machines
>>
>>$ iptables -t nat -A PREROUTING -p tcp -i eth1 -s ! 10.0.0.253 --dport 25
>>-j DNAT --to 10.0.0.253:25
>>$ iptables -t nat -A POSTROUTING -p tcp -s 10.0.0.0/24 -d 10.0.0.253
>>--dport 25 -j SNAT --to 10.0.0.254
>>
>>This way, LAN users trying to connect directly to an external mail server
>>get sent to the MTA on 10.0.0.253, and 10.0.0.253 itself still has full
>>access to 'real' port 25 in order that it can deliver mails! :)
>>

Gavin:
Why would your LAN users ever need to send SMTP to anywhere other 
than your MTA? With the above rules aren't you allowing an 1nside (I 
like that 0 1 idea!) computer, infected with a worm to propagate the 
virus?
I apologize if I missed something in your original post that 
explains this.

--Micha

>>Cheers,
>>Gavin.
> 
> 
> I'd just like to say that it's very nice to see a posting like this here, 
> showing the working solution (together with an explanation of why it works, 
> and exactly what it does), since this sort of thing is very useful to people 
> searching the archives in future.
> 
> Find a working solution which someone has bothered to document is much more 
> helpful than finding someone with a similar problem, and having to go through 
> half the same effort of solving it, so thanks Gavin for providing this info.
> 
> Regards,
> 
> Antony.
> 

Re: Redirecting outgoing SMTP from LAN to another LAN server

[Gavin Hamill]

On Sat, May 15, 2004 at 02:42:21PM +0300, Micha Silver wrote:
> Gavin:
> Why would your LAN users ever need to send SMTP to anywhere other 
> than your MTA?

Mostly as a convenience. We have dozens of LAN machines with an 
assortment of SMTP server settings. We also have some notebooks that 
roam between different sites, and I deemed it more appropriate to 
force everyone to use the local MTA than to have to manually reconfigure 
everything.

> With the above rules aren't you allowing an 1nside (I 
> like that 0 1 idea!) computer, infected with a worm to propagate the 
> virus?

Yes and no. Yes by allowing people to theoretically connect to any 
external MTA, the virus can propogate, but this is weighed against the 
monitoring I have in place so that the number of mails processed and 
load average on the MTA machine will spike up, and this allows me to 
quickly identify the offending machine and firewall it out completely 
whilst the virus is neutralised..

Thinking about it, I could simply firewall things more so that only
"our" MTAs are permitted... hmm I might do that actually - thanks for 
the train of thought.

I'm glad you like the 0utside/1nside thing... it even holds (to a lesser 
extent) when you have eth2 configured as the 'DM2' interface :)

Cheers,
Gavin.