Ignorance about combining two net connections

Ignorance about combining two net connections

[felix]

I have a computer out in the boonies where access is of two types:
dialup and satellite.  The computer has a static IP address for the
dialup because it has its own domain and needs that for SMTP service.
The satellite can't supply static addresses, only DHCP, so can't be a
mail server.

I have been trying to figure out how to combine the two in the
firewall so it sends everything to the satellite connection except
SMTP and maybe ssh.  I figure SMTP out has to come from the static IP
address to avoid being thought spam, and perhaps ssh too.  What I am
stumped on is exactly how to split this traffic at the firewall
between the static and dynamic connections.

I used to be a C programmer, wrote socket code, understood it pretty
well, but I have been doing so much Perl the last few years that bit
rot has set in, and I am afraid now that I remember just enough to be
dangerous.  For instance, I know that when a client connects to a
remote server's port 25, when the server accept()s the connection, it
assigns a new temporary port to that connection.  But I forget the
details, and rereading Stevens is a frustrating trip down memory lane.

Suppose I have an iptables rule which sends all outgoing traffic with
a destination port of 25 down the static pipe.  What happens when the
server switches ports?  The client will send subsequent packets to a
non-25 port and they will not be sent down the static pipe -- right?
Will the remote server notice or even care?  The packets will have the
proper destination address and port, the right sequence number, etc,
but what will happen to the source address?  I assume the internals of
the kernel must handle the translation so that return packets aren't
lost, but I never did know a lot about that end of things.

Incoming to the local SMTP server doesn't need any attention, right?
What happens when my server accept()s the connection and changes the
port in use -- will that switch to the satellite connection OK?

Or is iptables smart enough to keep track of the packets and know they
are connected?  Does it only need the rule for new packets?

I am really out of my depth these days on these nitty gritty details,
and any advice will be greatly appreciated.  Without the proper
firewall routing of these two, I have to switch them manually for
software upgrades, any serious browsing, etc, but I have to make sure
it is on dialup to get email.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Ignorance about combining two net connections

[G.W. Haywood]

Hi there,

On Sun, 14 Oct 2007 felix@crowfix.com wrote:

> I have a computer out in the boonies ... satellite can't supply
> static addresses, only DHCP, so can't be a mail server.

Wrong.  Check out dyndns.com

--

73,
Ged.

Re: Ignorance about combining two net connections

[felix]

On Sun, Oct 14, 2007 at 01:53:46PM +0100, G.W. Haywood wrote:
> 
> On Sun, 14 Oct 2007 felix@crowfix.com wrote:
> 
> > I have a computer out in the boonies ... satellite can't supply
> > static addresses, only DHCP, so can't be a mail server.
> 
> Wrong.  Check out dyndns.com

Interesting, but I have my own mail server because I wanted control of
it, and they want me to install their software on my computer.  I'd
rather not have one more thing to worry about.  But still an
interesting idea to keep in mind.

-- 
            ... _._. ._ ._. . _._. ._. ___ .__ ._. . .__. ._ .. ._.
     Felix Finch: scarecrow repairman & rocket surgeon / felix@crowfix.com
  GPG = E987 4493 C860 246C 3B1E  6477 7838 76E9 182E 8151 ITAR license #4933
I've found a solution to Fermat's Last Theorem but I see I've run out of room o

Re: Ignorance about combining two net connections

[Pascal Hambourg]

Hello,

felix@crowfix.com a écrit :
[...]
> For instance, I know that when a client connects to a
> remote server's port 25, when the server accept()s the connection, it
> assigns a new temporary port to that connection.

Huh ? What are you talking about ? Aren't you confusing with FTP ?

> Suppose I have an iptables rule which sends all outgoing traffic with
> a destination port of 25 down the static pipe.

You need more thant a simple iptables rule. Iptables will just mark the 
packets and do some NAT if required, you need also advanced routing to 
route marked packets through the proper interface. See the LARTC howto. 
Do not forget to disable source address validation (rp_filter).

[cut irrelevant stuff]
> Incoming to the local SMTP server doesn't need any attention, right?

Reply traffic of incoming connections must be routed through the same 
ISP, because the other ISP may consider it as IP spoofing and drop it. 
This also requires advanced routing.