From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@vger.kernel.org
Subject: Re: randomly changing IPs from different subnets (Google Mail)
Date: Tue, 22 Jun 2010 20:09:46 -0500 [thread overview]
Message-ID: <20100623010946.GQ19868@cardinal> (raw)
In-Reply-To: <20100622135522.a0eec81e.jwlargent@vlsmaps.com>
> Florian Effenberger <floeff@gmail.com> wrote:
> > my default network policy is to block all outgoing traffic and
> > only allow certain packets to pass. For some users, I'd like to
> > open up Google Mail (imap.gmail.com:993 and smtp.gmail.com:587).
> > However, Google's DNS give randomly out different IPs per query.
> > Sadly, they are not all located within a subnet, but vary in all
> > parts of the address.
> >
> > If I want to have destination host based rules, how can I do this
> > with iptables? My current idea is to run a cron job every few
> > minutes to add the rules again with the changed IPs, but this
> > sounds like an ugly workaround, and will clutter my user-defined
> > chain heavily.
> >
> > Is there any other approach, other than opening up all traffic to
> > 993 and 587?
I would suggest that you ask them, not us. They can tell you what
netblocks to allow, if they are so inclined.
On Tue, Jun 22, 2010 at 01:55:22PM -0500, Jeff Largent wrote:
> Are they actually random or are they just round robined from DNS?
I get a CNAME for smtp.gmail.com, and only one IP with a short TTL
for that:
smtp.gmail.com. 300 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 300 IN A 74.125.157.109
Likewise for imap.gmail.com. 5 minutes later I tried again and got
the same one. But, that could change at any time, without warning.
> If they are coming from a round robin queue then when you add
> smtp.gmail.com iptables will add a rule for each address it
> resolves to.
Right, but not for this one.
> Another option may be to do a lookup on MX record for gmail.com and
> add those hosts.
This is not right. The submission hosts are NOT the MX hosts, nor are
the MX hosts the same as the IMAP ones. Submission requires SMTP
AUTH, mail exchange does not. And surely the MX hosts use extensive
spam controls, as well.
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
next prev parent reply other threads:[~2010-06-23 1:09 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-22 18:16 randomly changing IPs from different subnets (Google Mail) Florian Effenberger
2010-06-22 18:19 ` Jan Engelhardt
2010-06-22 18:30 ` Florian Effenberger
2010-06-22 19:16 ` Lars Nooden
2010-06-23 8:53 ` Florian Effenberger
2010-06-23 9:33 ` Mart Frauenlob
2010-06-23 16:46 ` Florian Effenberger
2010-06-23 11:52 ` Lars Nooden
2010-06-23 11:54 ` Jan Engelhardt
2010-06-23 13:47 ` Lars Nooden
2010-06-23 13:52 ` John Haxby
2010-06-23 14:12 ` /dev/rob0
2010-06-23 14:36 ` Documentation (was Re: randomly changing IPs from different subnets (Google Mail)) Lars Nooden
2010-06-23 15:13 ` /dev/rob0
2010-06-23 16:00 ` Jan Engelhardt
2010-06-23 16:15 ` Lars Nooden
2010-06-23 16:36 ` Jan Engelhardt
2010-06-23 18:34 ` Grant Taylor
2010-06-23 18:41 ` Jan Engelhardt
2010-06-23 18:53 ` Grant Taylor
2010-06-24 6:17 ` Andrew Beverley
2010-06-24 16:45 ` Grant Taylor
2010-06-23 16:44 ` randomly changing IPs from different subnets (Google Mail) Florian Effenberger
2010-06-23 18:36 ` Grant Taylor
2010-06-22 19:18 ` Jan Engelhardt
2010-06-22 18:55 ` Jeff Largent
2010-06-23 1:09 ` /dev/rob0 [this message]
2010-06-23 1:22 ` Mike Lay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100623010946.GQ19868@cardinal \
--to=rob0@gmx.co.uk \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).