[LARTC] routing mail on a different gateway

[LARTC] routing mail on a different gateway

[Julien]

Hi,

I have a linux box with two dsl modems on it (connection is done via 
pppoe), I'm trying to route default traffic on the primary connection 
(ppp0) and mail traffic on another one (ppp1). This traffic will come 
from the localhost.

I run Slackware 9.1 (Kernel 2.4.22), recompiled with necessary options 
for using iproute2.

According to the advanced routing howto, I did the following :

iptables −A OUTPUT −t mangle −p tcp −−dport 25 −j MARK −−set−mark 1

I use "-A OUTPUT" since I want to alter locally generated packets.

echo 201 mail.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table mail.out
/sbin/ip route add default via [Second's ISP Gateway] dev ppp1 table 
mail.out

I get no error message, and ip rule ls and ip route show params where 
recorded, iptables -t mangle -lnV shows no problem too.

When I do telnet smtp.someisp.com 25, I see with tcpdump the packets 
going out through the interface ppp1 :

14:32:40.693429 62.212.120.196.34515 > 193.252.22.80.smtp: S 
4069327741:4069327741(0) win 5808 <mss 1452,sackOK,timestamp 929359 
0,nop,wscale 0> (DF) [tos 0x10]

But the problem is that there are originated from 62.212.120.196, which 
is the ip of ppp0, not ppp1. So packets can't take the way back.

How can I change the "from" ip of packets that are routed through ppp1 ?

Thanks for your help.

Julien

PS: I did a quite similar post in the netfilter list, and thanks to the 
guys there I succeeded solving the base problem (at start no packet was 
going out at all on ppp1) but now I know that lartc list exists, I think 
asking here is better.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] routing mail on a different gateway

[Julien]

Lance Dryden wrote:

> Good evening,
>
> Since you are worried only about outbound port 25 traffic being sent 
> from localhost, a question arises: is all of the mail traffic coming 
> from one specific program?
>
> If so, you will probably have an easier time convincing the program to 
> simply bind the outbound socket locally to the correct interface. 
> Unless it is a full-blown MTA like Postfix or Sendmail; most MTAs want 
> to be told which IP address to locally bind to and not which interface 
> to use.
>
> You might be better off using NAT.  This would be a somewhat goofy 
> use, and I have never tried it, so I do not know if it works.  It 
> would look like this:
>
> iptables \
>     --table nat --append POSTROUTING --proto tcp \
>     --source <general-traffic-interface-IP> \
>     --dport 25 \
>     --jump SNAT --to-source <SMTP-specific-interface-IP>
>
> This line would need to be added above any POSTROUTING lines for 
> supporting masquerading.  The kernel should be able to take care of 
> sending the data out the correct interface.
>
> Do let me know if it works.
>
>   Yours, &c
>   Lance Dryden
>
Thanks for your response,

I did two things :

- Ask postfix to bind to second isp's external ip
=> traffic go out through ppp1 and back in. Good but I get "connection 
timed out connecting to..." in postfix log

- Added iptables line you adviced me to :
=> packets go out with second isp's ip, good, that was not the case before
=> packets go back

But I get no answer in the telnet, which seems to be the same problem 
than when telling postfix to bind to second isp's ip : packets go out 
and back in but client cannot communicate with remote smtp server.

I think I forgot some iptables lines that would let ppp1's traffic go 
back in. Do you know which one I should use to make sure the traffic can 
go back in well ?

Here is the tcpdump log  when doing telnet 213.41.143.209 25 :

13:12:36.296170 81.48.224.208.51061 > 213.41.143.209.smtp: S 
3495988204:3495988204(0) win 5808 <mss 1452,sackOK,timestamp 7706419 
0,nop,wscale 0> (DF) [tos 0x10]
13:12:36.437196 213.41.143.209.smtp > 81.48.224.208.51061: S 
687160518:687160518(0) ack 3495988205 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203422 7706419> (DF)
13:12:38.703028 213.41.143.209.smtp > 81.48.224.208.51060: S 
1256669228:1256669228(0) ack 3496982511 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203426 7706045> (DF)
13:12:39.292786 81.48.224.208.51061 > 213.41.143.209.smtp: S 
3495988204:3495988204(0) win 5808 <mss 1452,sackOK,timestamp 7706719 
0,nop,wscale 0> (DF) [tos 0x10]
13:12:39.428299 213.41.143.209.smtp > 81.48.224.208.51061: S 
687160518:687160518(0) ack 3495988205 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203428 7706719> (DF)
13:12:40.398787 213.41.143.209.smtp > 81.48.224.208.51059: S 
957484233:957484233(0) ack 3482227097 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203430 7705616> (DF)

Thanks for your help !

Julien

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/