question about the order of the rules of iptables

question about the order of the rules of iptables

[Will Kuhn]

Will the order of the following two rules make any
difference in the outcome ? I personally feel that it
should not. Can anyone confirm ?

My intention is to have the incoming mails first
checked by the local anti-spam process listening at
port 1025 before being forwarded to the local mail
server. 10.1.1.100 is a private ip address of the
local mail server.

Local Mail server ----- [eth0] LinuxBOX [eth1] ----
internet

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport
25 -j DNAT --to 10.1.1.100

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport
25 -j REDIRECT --to-port 1025

-Will

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: question about the order of the rules of iptables

[John A. Sullivan III]

On Thu, 2005-09-08 at 05:01 -0700, Will Kuhn wrote:
> Will the order of the following two rules make any
> difference in the outcome ? I personally feel that it
> should not. Can anyone confirm ?
> 
> My intention is to have the incoming mails first
> checked by the local anti-spam process listening at
> port 1025 before being forwarded to the local mail
> server. 10.1.1.100 is a private ip address of the
> local mail server.
> 
> Local Mail server ----- [eth0] LinuxBOX [eth1] ----
> internet
> 
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport
> 25 -j DNAT --to 10.1.1.100
> 
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport
> 25 -j REDIRECT --to-port 1025
> 
<snip>
That may depend on what you want to do.  First, if I recall properly
(and I may not), REDIRECT sends the packet to port 1025 on interface lo,
i.e., to the local machine.  It is not used for changing the port.  That
may be what you want.  If you really want to change the port but not
redirect the packet to the local computer, use the port parameter on
DNAT, e.g., --to-destination 10.1.1.100:1025.

Second, I believe packets stop traversing a chain once they have been
matched with the DNAT target (I'm not sure about REDIRECT).  Thus, a
packet matching rule #1 in your order would never see rule #2.

I'm fetching this out of somewhat distant memory so, if someone knows
better, please correct me - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

Re: question about the order of the rules of iptables

[Will Kuhn]

Hi John, Thanks for your reply. Actually I need to
clarify.

In my config, I have an anti-spam process running on
the linux gateway and listening on port 1025. My
intention is to have the linux gateway filter out all
the junks.

I intend to have the linux box first modify the Dest
ip and forwarded it the local anti-spam process for
spam checking. After that, the anti-spam process will
forward the clean mail to the mail server since the ip
address has already been modified. 

Will that intention in mind, will my iptables rules
still work ? If not, how should I design my iptables
rules ?

Thanks, Will

Local Mail server ---- e0 linux gateway e1 ----
internet

Local Mail server ip: 10.1.1.100
the anti spam mail proxy running on the linux gateway.



--- "John A. Sullivan III"
<jsullivan@opensourcedevel.com> wrote:

> On Thu, 2005-09-08 at 05:01 -0700, Will Kuhn wrote:
> > Will the order of the following two rules make any
> > difference in the outcome ? I personally feel that
> it
> > should not. Can anyone confirm ?
> > 
> > My intention is to have the incoming mails first
> > checked by the local anti-spam process listening
> at
> > port 1025 before being forwarded to the local mail
> > server. 10.1.1.100 is a private ip address of the
> > local mail server.
> > 
> > Local Mail server ----- [eth0] LinuxBOX [eth1]
> ----
> > internet
> > 
> > iptables -t nat -A PREROUTING -i eth1 -p tcp
> --dport
> > 25 -j DNAT --to 10.1.1.100
> > 
> > iptables -t nat -A PREROUTING -i eth1 -p tcp
> --dport
> > 25 -j REDIRECT --to-port 1025
> > 
> <snip>
> That may depend on what you want to do.  First, if I
> recall properly
> (and I may not), REDIRECT sends the packet to port
> 1025 on interface lo,
> i.e., to the local machine.  It is not used for
> changing the port.  That
> may be what you want.  If you really want to change
> the port but not
> redirect the packet to the local computer, use the
> port parameter on
> DNAT, e.g., --to-destination 10.1.1.100:1025.
> 
> Second, I believe packets stop traversing a chain
> once they have been
> matched with the DNAT target (I'm not sure about
> REDIRECT).  Thus, a
> packet matching rule #1 in your order would never
> see rule #2.
> 
> I'm fetching this out of somewhat distant memory so,
> if someone knows
> better, please correct me - John
> -- 
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan@opensourcedevel.com
> 
> If you would like to participate in the development
> of an open source
> enterprise class network security management system,
> please visit
> http://iscs.sourceforge.net
> 
> 



	
		
______________________________________________________
Click here to donate to the Hurricane Katrina relief effort.
http://store.yahoo.com/redcross-donate3/

RE: question about the order of the rules of iptables

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org wrote:
> Hi John, Thanks for your reply. Actually I need to clarify.
> 
> In my config, I have an anti-spam process running on the
> linux gateway and listening on port 1025. My intention is to
> have the linux gateway filter out all the junks.
> 
> I intend to have the linux box first modify the Dest ip and
> forwarded it the local anti-spam process for spam checking.
> After that, the anti-spam process will forward the clean mail
> to the mail server since the ip address has already been modified.
> 
> Will that intention in mind, will my iptables rules still
> work ? If not, how should I design my iptables rules ?

Normally, you setup a mail gateway which which is configured to do
spam/virus filtering.
In my case, I used Postfix with Amavis, ClamAV and SpamAssassin.

Postfix receives the email, and can optionally be configured to check if
the "To" email address is valid using user accounts, aliases, ldap, ...

Next it sends the email to Amavis, which checks for virusses using
ClamAV and spam using SpamAssassin.

SpamAssassin can quarantine if the spam-score of an email is above
sa_kill_level2, can add email headers containing the spam-score and can
alter the subject saying it is probably spam.

If an email is not quarantined, it is sent back to Postfix which will
deliver it to the next MTA or to an MDA which can deliver the email to a
mailbox.


Gr,
Rob

Re: question about the order of the rules of iptables

[John A. Sullivan III]

Rob's post was quite good advice.  This seems a bit unnecessary.
Wouldn't one perhaps redirect to your anti-spam process and then have
your anti-spam process forward the mail (as a new IP packet) to the mail
gateway? - John

On Thu, 2005-09-08 at 10:09 -0700, Will Kuhn wrote:
> Hi John, Thanks for your reply. Actually I need to
> clarify.
> 
> In my config, I have an anti-spam process running on
> the linux gateway and listening on port 1025. My
> intention is to have the linux gateway filter out all
> the junks.
> 
> I intend to have the linux box first modify the Dest
> ip and forwarded it the local anti-spam process for
> spam checking. After that, the anti-spam process will
> forward the clean mail to the mail server since the ip
> address has already been modified. 
> 
> Will that intention in mind, will my iptables rules
> still work ? If not, how should I design my iptables
> rules ?
> 
> Thanks, Will
> 
> Local Mail server ---- e0 linux gateway e1 ----
> internet
> 
> Local Mail server ip: 10.1.1.100
> the anti spam mail proxy running on the linux gateway.
> 
> 
> 
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevel.com> wrote:
> 
> > On Thu, 2005-09-08 at 05:01 -0700, Will Kuhn wrote:
> > > Will the order of the following two rules make any
> > > difference in the outcome ? I personally feel that
> > it
> > > should not. Can anyone confirm ?
> > > 
> > > My intention is to have the incoming mails first
> > > checked by the local anti-spam process listening
> > at
> > > port 1025 before being forwarded to the local mail
> > > server. 10.1.1.100 is a private ip address of the
> > > local mail server.
> > > 
> > > Local Mail server ----- [eth0] LinuxBOX [eth1]
> > ----
> > > internet
> > > 
> > > iptables -t nat -A PREROUTING -i eth1 -p tcp
> > --dport
> > > 25 -j DNAT --to 10.1.1.100
> > > 
> > > iptables -t nat -A PREROUTING -i eth1 -p tcp
> > --dport
> > > 25 -j REDIRECT --to-port 1025
> > > 
> > <snip>
> > That may depend on what you want to do.  First, if I
> > recall properly
> > (and I may not), REDIRECT sends the packet to port
> > 1025 on interface lo,
> > i.e., to the local machine.  It is not used for
> > changing the port.  That
> > may be what you want.  If you really want to change
> > the port but not
> > redirect the packet to the local computer, use the
> > port parameter on
> > DNAT, e.g., --to-destination 10.1.1.100:1025.
> > 
> > Second, I believe packets stop traversing a chain
> > once they have been
> > matched with the DNAT target (I'm not sure about
> > REDIRECT).  Thus, a
> > packet matching rule #1 in your order would never
> > see rule #2.
> > 
> > I'm fetching this out of somewhat distant memory so,
> > if someone knows
> > better, please correct me - John
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > If you would like to participate in the development
> > of an open source
> > enterprise class network security management system,
> > please visit
> > http://iscs.sourceforge.net
> > 
> > 
> 
> 
> 
> 	
> 		
> ______________________________________________________
> Click here to donate to the Hurricane Katrina relief effort.
> http://store.yahoo.com/redcross-donate3/
> 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com