From: Ed W <lists@wildgooses.com>
To: Anton Melser <anton@linux.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Advice on best way to set up multi-route NAT for lots of IPs
Date: Mon, 02 Jan 2012 12:38:18 +0000 [thread overview]
Message-ID: <4F01A53A.6040704@wildgooses.com> (raw)
In-Reply-To: <CAKywjPrbjoLhcvPXVYg+8kZ53rPRJ5+dhePx4FB=OkpNjqUGxw@mail.gmail.com>
On 01/01/2012 16:10, Anton Melser wrote:
> Hi,
> I am very new to iptables but have been trying hard to learn as much
> as I can... I have a reasonably simple need but performance might
> quickly become an issue so would like some advice on the best way to
> go forward.
> So, I have around 1600 public IPs in 4 blocks (3 x /23 + /25 on
> different ISPs). I have a certain number of machines (somewhere from 3
> to 8, needs to be variable and changeable without FW reconfiguration),
> and each one needs to be able to send email from each external IP (and
> needs to be able to do this deterministically). The only traffic
> should be to port 25 on the external destination IPs - the machines
> are only sending email, never receiving, so AFAICT everything can be
> closed inbound (at least for NEW).
>
Although NAT would seem to be the most flexible solution (seems like you
just need to read up on SNAT? Probably also some network stack tuning
needed for such a large amount of NAT..?), you can probably also do this
by adding the public IPs to your mailserver? Eg with Postfix you can
either lightly overload settings per transport in master.cf (
http://www.postfix.org/master.5.html ), or if you need something which
more closely emulates a virtual machine then see the multi-instance
stuff ( http://www.postfix.org/MULTI_INSTANCE_README.html ). I see no
theoretical reason you couldn't have a (very) multihomed machine with
the IPs on the servers themselves? The benefit might be that mailservers
under high load will normally have a lot of connections open (hence high
NAT requirements)
Postfix also has some interesting options to add connection caching and
some other tricks which are helpful for larger installations and large
outbound queue volumes.
You should probably spend some time on followup questions covering why
you aren't a spam sender. Many technical folks will jump to the
conclusion that anyone asking for help pumping large volumes of mail is
likely to be up to no good. Just saying how it is...
Good luck
Ed W
next prev parent reply other threads:[~2012-01-02 12:38 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-01 16:10 Advice on best way to set up multi-route NAT for lots of IPs Anton Melser
2012-01-01 20:24 ` Lloyd Standish
2012-01-01 20:41 ` Anton Melser
2012-01-01 21:36 ` Anton Melser
2012-01-01 22:11 ` Lloyd Standish
2012-01-02 9:00 ` Anton Melser
2012-01-02 16:10 ` Lloyd Standish
2012-01-02 22:14 ` Anton Melser
2012-01-03 0:46 ` Lloyd Standish
2012-01-03 8:56 ` Anton Melser
2012-01-04 15:15 ` Anton Melser
2012-01-05 7:37 ` Andrew Beverley
2012-01-02 18:01 ` Pete
2012-01-02 21:14 ` Anton Melser
2012-01-02 12:38 ` Ed W [this message]
2012-01-02 13:17 ` Anton Melser
2012-01-27 23:54 ` Ed W
2012-01-05 7:35 ` Andrew Beverley
2012-01-05 8:15 ` Anton Melser
2012-01-05 17:06 ` Andrew Beverley
2012-01-05 18:39 ` Rob Sterenborg (Lists)
2012-01-06 5:15 ` Anton Melser
2012-01-06 7:28 ` Andrew Beverley
2012-01-05 8:59 ` Rob Sterenborg (lists)
2012-01-05 11:59 ` Anton Melser
2012-01-05 13:17 ` Rob Sterenborg (lists)
2012-01-05 16:59 ` Andrew Beverley
2012-01-05 17:08 ` Rob Sterenborg (lists)
2012-01-05 17:14 ` Andrew Beverley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F01A53A.6040704@wildgooses.com \
--to=lists@wildgooses.com \
--cc=anton@linux.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.