Redirecting mail

Redirecting mail

[Ilo Lorusso]

Hi,

Ive got a mailserver sitting on a network with a ip address 172.20.128.56 which its internet line is very congested, now on another network i have a another linux box 192.168.16.56 with a default route which goes out another internet line..

Now what i would like to know is there a way I could route all out going mail from 172.20.128.56
to 192.168.16.56 using iptables DNAT.

First of all, is it possible to do what I want to do? and would I use iptables or iptables with something else?

This is what ive tried...

on 172.20.128.56 (Red Hat Linux release 7.3)
i issue the command  : 
iptables -t nat -A OUTPUT -p tcp -m multiport --dports smtp -j DNAT --to-destination 192.168.12.56

now when im on 192.168.12.56 (Red Hat Linux release 9 (Shrike) )
and do a tcpdump greping for smtp I see connections from 172.20.128.56
but not exactly sure what its doing.. but what i know, from  172.20.128.56 I cant make smtp connections out to the internet..

tcpdump: listening on eth0
16:07:03.867918 172.20.128.56.56476 > 192.168.12.56.smtp: S 2918215293:2918215293(0) win 5840 <mss 1380,sackOK,timestamp 10220283 0,nop,wscale 0> (DF)
16:07:03.868077 192.168.12.56.smtp > 172.20.128.56.56476: S 546916583:546916583(0) ack 2918215294 win 5792 <mss 1460,sackOK,timestamp 180210285 10220283,nop,wscale 0> (DF)
16:07:06.864296 172.20.128.56.56476 > 192.168.12.56.smtp: S 2918215293:2918215293(0) win 5840 <mss 1380,sackOK,timestamp 10220583 0,nop,wscale 0> (DF)
16:07:06.864362 192.168.12.56.smtp > 172.20.128.56.56476: S 546916583:546916583(0) ack 2918215294 win 5792 <mss 1460,sackOK,timestamp 180210585 10220283,nop,wscale 0> (DF)
16:07:08.261244 192.168.12.56.smtp > 172.20.128.56.56476: S 546916583:546916583(0) ack 2918215294 win 5792 <mss 1460,sackOK,timestamp 180210725 10220283,nop,wscale 0> (DF)
16:07:12.863062 172.20.128.56.56476 > 192.168.12.56.smtp: S 2918215293:2918215293(0) win 5840 <mss 1380,sackOK,timestamp 10221183 0,nop,wscale 0> (DF)
16:07:12.863131 192.168.12.56.smtp > 172.20.128.56.56476: S 546916583:546916583(0) ack 2918215294 win 5792 <mss 1460,sackOK,timestamp 180211185 10220283,nop,wscale 0> (DF)
16:07:14.261232 192.168.12.56.smtp > 172.20.128.56.56476: S 546916583:546916583(0) ack 2918215294 win 5792 <mss 1460,sackOK,timestamp 180211325 10220283,nop,wscale 0> (DF)
16:07:15.006377 172.20.128.56.56531 > 192.168.12.56.smtp: S 2944177066:2944177066(0) win 5840 <mss 1380,sackOK,timestamp 10221397 0,nop,wscale 0> (DF)
16:07:15.006502 192.168.12.56.smtp > 172.20.128.56.56531: S 552052850:552052850(0) ack 2944177067 win 5792 <mss 1460,sackOK,timestamp 180211399 10221397,nop,wscale 0> (DF)

RE: Redirecting mail

[Rob Sterenborg]

> Now what i would like to know is there a way I could route 
> all out going mail from 172.20.128.56 to 192.168.16.56 using
> iptables DNAT.
>
> First of all, is it possible to do what I want to do? and 

The networks seem to be connected, so can't you just configure a
smtp-forwarder in your MTA configuration ? That would be easier I think.

> would I use iptables or iptables with something else?

No, just iptables would be enough.

> This is what ive tried...
> 
> on 172.20.128.56 (Red Hat Linux release 7.3)
> i issue the command  : 
> iptables -t nat -A OUTPUT -p tcp -m multiport --dports smtp 
> -j DNAT --to-destination 192.168.12.56

There is no need to use multiport because you only DNAT 1 port : smtp.
But that should not be a problem.

iptables -t nat -A OUTPUT -p tcp --dports smtp \
-j DNAT --to-destination 192.168.12.56

> now when im on 192.168.12.56 (Red Hat Linux release 9 (Shrike) )
> and do a tcpdump greping for smtp I see connections from 172.20.128.56
> but not exactly sure what its doing.. but what i know, from  
> 172.20.128.56 I cant make smtp connections out to the internet..

A few obvious tests :
Do you see mail coming in from 172.20.128.56 into the queue of
192.168.12.56 ?
Is mail from 172.20.128.56 "for the internet" being delivered ?

If it's not working, do you have other iptables rules that prohibit this
from working ?


Gr,
Rob




********* DISCLAIMER ********* 
De informatie in dit E-mail bericht is uitsluitend bestemd voor de geadresseerde. Verstrekking aan en gebruik door anderen is niet toegestaan.
Door de elektronische verzending van het bericht kunnen er geen rechten worden ontleend aan de informatie. TTP staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden E-mail, noch voor tijdige ontvangst daarvan. 

Re: Redirecting mail

[Ilo Lorusso]

> The networks seem to be connected, so can't you just configure a
> smtp-forwarder in your MTA configuration ? That would be easier I think.

I'd prefer just using iptables, so i can redirect when i need to..



> There is no need to use multiport because you only DNAT 1 port : smtp.
> But that should not be a problem.
>
> iptables -t nat -A OUTPUT -p tcp --dports smtp \
> -j DNAT --to-destination 192.168.12.56


if I try it without the multiport option i get the following error..

[root@posjia0h01 root]# iptables -t nat -A OUTPUT -p tcp --dports smtp -j
DNAT --to-destination 192.168.12.56
iptables v1.2.5: Unknown arg `--dports'
Try `iptables -h' or 'iptables --help' for more information.



And no I dont have any rules blocking this from working as shown below, but
would i need any iptables rules to make it work maybe? (like enable
ipforwarding and maybe a forward rule, im not sure)



[root@prxsaa0z02 root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@prxsaa0z02 root]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Re: Redirecting mail

[Ilo Lorusso]

this is strange...


Ive got another mailserver 172.24.128.56 ..
now if I put that rule in

 iptables -t nat -A OUTPUT -p tcp -m multiport --dports smtp  -j 
DNAT --to-destination 192.168.12.56

and if I try telnet to any mail server on the internet , i connect to 
192.168.12.56 (Which should happen on 172.20.128.56)

[root@poscpt0h01 root]# telnet 196.31.155.18 25
Trying 196.31.155.18...
Connected to 196.31.155.18.
Escape character is '^]'.
220 prxsaa0z02.ipnetwork.co.za ESMTP Sendmail 8.12.8/8.12.8; Fri, 8 Apr 2005 
17:30:45 +0200


is there noway to make it connect directly to 196.31.155.18, but using 
192.168.12.56 as a gateway





----- Original Message ----- 
From: "Rob Sterenborg" <rob@sterenborg.info>
To: <netfilter@lists.netfilter.org>
Sent: Friday, April 08, 2005 12:58 PM
Subject: RE: Redirecting mail


>> Now what i would like to know is there a way I could route
>> all out going mail from 172.20.128.56 to 192.168.16.56 using
>> iptables DNAT.
>>
>> First of all, is it possible to do what I want to do? and
>
> The networks seem to be connected, so can't you just configure a
> smtp-forwarder in your MTA configuration ? That would be easier I think.
>
>> would I use iptables or iptables with something else?
>
> No, just iptables would be enough.
>
>> This is what ive tried...
>>
>> on 172.20.128.56 (Red Hat Linux release 7.3)
>> i issue the command  :
>> iptables -t nat -A OUTPUT -p tcp -m multiport --dports smtp
>> -j DNAT --to-destination 192.168.12.56
>
> There is no need to use multiport because you only DNAT 1 port : smtp.
> But that should not be a problem.
>
> iptables -t nat -A OUTPUT -p tcp --dports smtp \
> -j DNAT --to-destination 192.168.12.56
>
>> now when im on 192.168.12.56 (Red Hat Linux release 9 (Shrike) )
>> and do a tcpdump greping for smtp I see connections from 172.20.128.56
>> but not exactly sure what its doing.. but what i know, from
>> 172.20.128.56 I cant make smtp connections out to the internet..
>
> A few obvious tests :
> Do you see mail coming in from 172.20.128.56 into the queue of
> 192.168.12.56 ?
> Is mail from 172.20.128.56 "for the internet" being delivered ?
>
> If it's not working, do you have other iptables rules that prohibit this
> from working ?
>
>
> Gr,
> Rob
>
>
>
>
> ********* DISCLAIMER *********
> De informatie in dit E-mail bericht is uitsluitend bestemd voor de 
> geadresseerde. Verstrekking aan en gebruik door anderen is niet 
> toegestaan.
> Door de elektronische verzending van het bericht kunnen er geen rechten 
> worden ontleend aan de informatie. TTP staat niet in voor de juiste en 
> volledige overbrenging van de inhoud van een verzonden E-mail, noch voor 
> tijdige ontvangst daarvan.
>
> 

RE: Redirecting mail

[Rob Sterenborg]

> > There is no need to use multiport because you only DNAT 1 
> port : smtp.
> > But that should not be a problem.
> >
> > iptables -t nat -A OUTPUT -p tcp --dports smtp \ -j DNAT 
> > --to-destination 192.168.12.56
> 
> 
> if I try it without the multiport option i get the following
> error..
> 
> [root@posjia0h01 root]# iptables -t nat -A OUTPUT -p tcp 
> --dports smtp -j DNAT --to-destination 192.168.12.56 iptables 
> v1.2.5: Unknown arg `--dports'
> Try `iptables -h' or 'iptables --help' for more information.

Sorry, that should be "--dport", not "--dports".

> this is strange...
> 
> 
> Ive got another mailserver 172.24.128.56 ..
> now if I put that rule in
> 
>  iptables -t nat -A OUTPUT -p tcp -m multiport --dports smtp  
> -j DNAT --to-destination 192.168.12.56
> 
> and if I try telnet to any mail server on the internet , i connect to
> 192.168.12.56 (Which should happen on 172.20.128.56)

So if the rule works on 172.24.128.56, it should also be correct for
172.20.128.56.

> [root@poscpt0h01 root]# telnet 196.31.155.18 25 Trying 
> 196.31.155.18...
> Connected to 196.31.155.18.
> Escape character is '^]'.
> 220 c ESMTP Sendmail 8.12.8/8.12.8; 
> Fri, 8 Apr 2005
> 17:30:45 +0200

prxsaa0z02.ipnetwork.co.za is 192.168.12.56 I suppose ?

> is there noway to make it connect directly to 196.31.155.18, 
> but using 192.168.12.56 as a gateway

I think you'd need a smtp proxy to do that (right now you're using
192.168.12.56 as a mail-gateway because it forwards mail from other
mailservers.)
Perhaps if you run a smtp proxy on port 26 or so, and forward other
mailservers to that port (192.168.12.56 is already running a mailserver
on port 25) :

iptables -t nat -A OUTPUT -p tcp --dport smtp \
  -j DNAT --to 192.168.12.56:26
And let the smtp proxy connect to an internet MTA on port 25. But this
way you still don't connect directly to the receiving MTA.


Gr,
Rob




********* DISCLAIMER ********* 
De informatie in dit E-mail bericht is uitsluitend bestemd voor de geadresseerde. Verstrekking aan en gebruik door anderen is niet toegestaan.
Door de elektronische verzending van het bericht kunnen er geen rechten worden ontleend aan de informatie. TTP staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden E-mail, noch voor tijdige ontvangst daarvan. 

Re: Redirecting mail

[Taylor, Grant]

> > iptables -t nat -A OUTPUT -p tcp --dports smtp \
> > -j DNAT --to-destination 192.168.12.56

You have an error in your IPTables syntax.

iptables -t nat -A OUTPUT -p tcp --dport smtp -j DNAT --to-destination
192.168.12.56



Grant. . . .

Re: Redirecting mail

[Taylor, Grant]

This mail server in question (172.20.128.56), is it just used for sending
email from your internal network out to the world or are you expecting email
from the world to come inbound to it too?  Are you wanting this mail server
to continue using the internet connection that it has for all traffic except
SMTP or are you wanting all outbound traffic to pass through 192.168.16.56?

I would be tempted to use a combination of IPTables and IP routing rules.
Namely I'd do something like the following on the mail server
(172.20.128.56)

iptables -t nat -A OUTPUT -p tcp --sport 25 -j MARK --set-mark $SMTP_Mark
ip route add table $IPRoute2_SMTP_Table 192.168.16.0/24 dev
$DEV_of_internal_network src $IP_of_DEV_of_internal_network
ip route add table $IPRoute2_SMTP_Table default via 192.168.16.56
ip rule add fwmark $SMTP_Mark table $IPRoute2_SMTP_Table

Where:
$SMTP_Mark is the value you want to use to mark the packets that need to use
the alternant route.
$IPRoute2_SMTP_Table is the name as it appears in /etc/iproute2/rt_tables or
the number of the table that you want to use.
$DEV_of_internal_network is the device name of your internal network
interface.
$IP_of_DEV_of_internal_network is the IP address of the device name of your
internal network interface.

This should cause any traffic that leaves the mail server in question to
pass through the alternent route out to the internet.  If you have any
questions or need more help let me know and I'll see what I can do.



Grant. . . .

Re: Redirecting mail

[Ilo Lorusso]

Hi,
I would just like to confirm with you, if machine 192.168.16.56 is to on the 
same switch but 3 hops away will the method you describe still work?



----- Original Message ----- 
From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: "Ilo Lorusso" <sneak@ipnoc.co.za>; <netfilter@lists.netfilter.org>
Sent: Friday, April 08, 2005 9:29 PM
Subject: Re: Redirecting mail


> This mail server in question (172.20.128.56), is it just used for sending
> email from your internal network out to the world or are you expecting 
> email
> from the world to come inbound to it too?  Are you wanting this mail 
> server
> to continue using the internet connection that it has for all traffic 
> except
> SMTP or are you wanting all outbound traffic to pass through 
> 192.168.16.56?
>
> I would be tempted to use a combination of IPTables and IP routing rules.
> Namely I'd do something like the following on the mail server
> (172.20.128.56)
>
> iptables -t nat -A OUTPUT -p tcp --sport 25 -j MARK --set-mark $SMTP_Mark
> ip route add table $IPRoute2_SMTP_Table 192.168.16.0/24 dev
> $DEV_of_internal_network src $IP_of_DEV_of_internal_network
> ip route add table $IPRoute2_SMTP_Table default via 192.168.16.56
> ip rule add fwmark $SMTP_Mark table $IPRoute2_SMTP_Table
>
> Where:
> $SMTP_Mark is the value you want to use to mark the packets that need to 
> use
> the alternant route.
> $IPRoute2_SMTP_Table is the name as it appears in /etc/iproute2/rt_tables 
> or
> the number of the table that you want to use.
> $DEV_of_internal_network is the device name of your internal network
> interface.
> $IP_of_DEV_of_internal_network is the IP address of the device name of 
> your
> internal network interface.
>
> This should cause any traffic that leaves the mail server in question to
> pass through the alternent route out to the internet.  If you have any
> questions or need more help let me know and I'll see what I can do.
>
>
>
> Grant. . . .
> 

Re: Redirecting mail

[Grant Taylor]

> Hi,
> I would just like to confirm with you, if machine 192.168.16.56 is to on 
> the same switch but 3 hops away will the method you describe still work?

Based on your choice of word of "hop(s)" I'm going to assume that the 172,20,128.56 mail server that you want to route it's SMTP connections out a different INet connection is not directly connected to the same subnet that the 192.168.16.56 system is on.  That being the case I'm going to assume that you do have a way to establish a route internally on your lan via the 192.168.16.x/24 network to an unknown network, to any more unknown networks, to the 192.168.16.x/24 network.  If this is indeed the case I would make sure that all the routers that the traffic has to pass through to pass in to each network have a path to each of the other networks.  An example below should help with this.

[Machine A]
INet connection with unknown IP
172.20.128.56 on the 172.20.128.x/24 network

[Machine B]
172.20.128.254 on the 172.20.128.x/24 network
10.0.0.1 on the 10.0.0.x/24 network

[Machine C]
10.0.0.254 on the 10.0.0.x/24 network
192.168.144.1 on the 192.168.144.x/24 network

[Machine D]
192.168.144.254 on the 192.168.144.x/24 network
192.168.16.1 on the 192.168.16.x/24 network

[Machine E]
192.168.16.56 on the 192.168.16.x/24 network
INet connection with an unknown IP

Following the above example I'm going to assume that you are wanting to route all SMTP traffic from Machine A out Machine E's internet connection.  To do this I would make sure that machines / routers have at least the following in their (main) routing tables:

[Machine A's partial routing table]
INet connection is local to Machine A
172.20.128.x/24 network is local to Machine A
10.0.0.x/24 network via Machine B metric of 1
192.168.144.x/24 network via Machine B metric of 2
192.168.16.x/24 network via Machine B metric of 3

[Machine B's partial routing table]
172.20.128.x/24 network is local to Machine B
10.0.0.x/24 network is local to Machine B
192.168.144.x/24 network via Machine C metric of 1
192.168.16.x/24 network via Machine C metric of 2

[Machine C's partial routing table]
172.20.128.x/24 network via Machine B metric of 1
10.0.0.x/24 network is local to Machine C
192.168.144.x/24 network is local to Machine C
192.168.16.x/24 network via Machine D metric of 1

[Machine D's partial routing table]
172.20.128.x/24 network via Machine C metric of 2
10.0.0.x/24 network via Machine C metric of 1
192.168.144.x/24 is local to Machine D
192.168.16.x/24 is local to Machine D

[Machine E's partial routing table]
172.20.128.x/24 network via Machine D metric of 3
10.0.0.x/24 network via Machine D metrick of 2
192.168.144.x/24 network via Machine D metric of 1
192.168.16.x/24 is local to Machine E
INet connection is local to Machine E

This will allow your traffic to pass from machine A to Machine E with known routes.  The only thing that might cause a problem is if you have firewalls on all systems DROPping or REJECTing traffic that is not from the local network trying to pass through it.  But if you open up your firewalls to the traffic on each of the networks that need to pass through then there is no reason why traffic from Machine A could not pass out the INet connection on Machine E.

If you would like to give me some more details on what your network topology is I'd do my best to help you with what your routing tables would need to look like.



Grant. . . .

Re: Redirecting mail

[Ilo Lorusso]

Ok,
Ive actually got 2 hops between the machines..

its  ...

 172.20.128.56

1 PIX Firewall
2 Nortel Passport (router)

 192.168.12.56

But these two machines are able to see each other and have full access to
each other, just completely seperate networks.

is it still possible to do that advanced routing even though the hope 
between are not linux devices ??


----- Original Message ----- 
From: "Grant Taylor" <gtaylor@riverviewtech.net>
To: "Ilo Lorusso" <sneak@ipnoc.co.za>
Cc: <netfilter@lists.netfilter.org>
Sent: Saturday, April 09, 2005 8:58 PM
Subject: Re: Redirecting mail


>> Hi,
>> I would just like to confirm with you, if machine 192.168.16.56 is to on
>> the same switch but 3 hops away will the method you describe still work?
>
> Based on your choice of word of "hop(s)" I'm going to assume that the
> 172,20,128.56 mail server that you want to route it's SMTP connections out
> a different INet connection is not directly connected to the same subnet
> that the 192.168.16.56 system is on.  That being the case I'm going to
> assume that you do have a way to establish a route internally on your lan
> via the 192.168.16.x/24 network to an unknown network, to any more unknown
> networks, to the 192.168.16.x/24 network.  If this is indeed the case I
> would make sure that all the routers that the traffic has to pass through
> to pass in to each network have a path to each of the other networks.  An
> example below should help with this.
>
> [Machine A]
> INet connection with unknown IP
> 172.20.128.56 on the 172.20.128.x/24 network
>
> [Machine B]
> 172.20.128.254 on the 172.20.128.x/24 network
> 10.0.0.1 on the 10.0.0.x/24 network
>
> [Machine C]
> 10.0.0.254 on the 10.0.0.x/24 network
> 192.168.144.1 on the 192.168.144.x/24 network
>
> [Machine D]
> 192.168.144.254 on the 192.168.144.x/24 network
> 192.168.16.1 on the 192.168.16.x/24 network
>
> [Machine E]
> 192.168.16.56 on the 192.168.16.x/24 network
> INet connection with an unknown IP
>
> Following the above example I'm going to assume that you are wanting to
> route all SMTP traffic from Machine A out Machine E's internet connection.
> To do this I would make sure that machines / routers have at least the
> following in their (main) routing tables:
>
> [Machine A's partial routing table]
> INet connection is local to Machine A
> 172.20.128.x/24 network is local to Machine A
> 10.0.0.x/24 network via Machine B metric of 1
> 192.168.144.x/24 network via Machine B metric of 2
> 192.168.16.x/24 network via Machine B metric of 3
>
> [Machine B's partial routing table]
> 172.20.128.x/24 network is local to Machine B
> 10.0.0.x/24 network is local to Machine B
> 192.168.144.x/24 network via Machine C metric of 1
> 192.168.16.x/24 network via Machine C metric of 2
>
> [Machine C's partial routing table]
> 172.20.128.x/24 network via Machine B metric of 1
> 10.0.0.x/24 network is local to Machine C
> 192.168.144.x/24 network is local to Machine C
> 192.168.16.x/24 network via Machine D metric of 1
>
> [Machine D's partial routing table]
> 172.20.128.x/24 network via Machine C metric of 2
> 10.0.0.x/24 network via Machine C metric of 1
> 192.168.144.x/24 is local to Machine D
> 192.168.16.x/24 is local to Machine D
>
> [Machine E's partial routing table]
> 172.20.128.x/24 network via Machine D metric of 3
> 10.0.0.x/24 network via Machine D metrick of 2
> 192.168.144.x/24 network via Machine D metric of 1
> 192.168.16.x/24 is local to Machine E
> INet connection is local to Machine E
>
> This will allow your traffic to pass from machine A to Machine E with
> known routes.  The only thing that might cause a problem is if you have
> firewalls on all systems DROPping or REJECTing traffic that is not from
> the local network trying to pass through it.  But if you open up your
> firewalls to the traffic on each of the networks that need to pass through
> then there is no reason why traffic from Machine A could not pass out the
> INet connection on Machine E.
>
> If you would like to give me some more details on what your network
> topology is I'd do my best to help you with what your routing tables would
> need to look like.
>
>
>
> Grant. . . .
>