randomly changing IPs from different subnets (Google Mail)

randomly changing IPs from different subnets (Google Mail)

[Florian Effenberger]

Hi,

my default network policy is to block all outgoing traffic and only allow certain packets to pass. For some users, I'd like to open up Google Mail (imap.gmail.com:993 and smtp.gmail.com:587). However, Google's DNS give randomly out different IPs per query. Sadly, they are not all located within a subnet, but vary in all parts of the address.

If I want to have destination host based rules, how can I do this with iptables? My current idea is to run a cron job every few minutes to add the rules again with the changed IPs, but this sounds like an ugly workaround, and will clutter my user-defined chain heavily.

Is there any other approach, other than opening up all traffic to 993 and 587?

Thanks,
Florian

Re: randomly changing IPs from different subnets (Google Mail)

[Jan Engelhardt]

On Tuesday 2010-06-22 20:16, Florian Effenberger wrote:
>
>[block by DNS]
>
>If I want to have destination host based rules, how can I do this with 
>iptables? My current idea is to run a cron job every few minutes to add 
>the rules again with the changed IPs, but this sounds like an ugly 
>workaround, and will clutter my user-defined chain heavily.

So create another chain. The in-memory table does not know DNS, and 
rightfully so.

>Is there any other approach, other than opening up all traffic to 993 
>and 587?

SOCKS proxies.

Re: randomly changing IPs from different subnets (Google Mail)

[Florian Effenberger]

Hi Jan,

thanks for the fast reply!

Am 22.06.2010 um 20:19 schrieb Jan Engelhardt:

> So create another chain. The in-memory table does not know DNS, and 
> rightfully so.

what does another chain help? I need to keep some records in the tables, because of clients that might have still the "old" address in their cache. The tables get cluttered anyways, no matter if I use one or several user-defined chains.

>> Is there any other approach, other than opening up all traffic to 993 
>> and 587?
> 
> SOCKS proxies.

That indeed would be an option. Or an SMTP/IMAP proxy. Both are not really desirable solutions, but if no one has a better suggestion, this might be a way to go... ;-)

Florian

Re: randomly changing IPs from different subnets (Google Mail)

[Lars Nooden]

Hello, Florian,

On 6/22/10 9:30 PM, Florian Effenberger wrote:

> what does another chain help? I need to keep some records in the
> tables, because of clients that might have still the "old" address in
> their cache. The tables get cluttered anyways, no matter if I use one
> or several user-defined chains.

The chain is a drop-through list of ip addresses that you have decided 
are good.  Then make a rule or pair of rules to send tcp traffic for 
port 993 and port 537 to that user-defined chain.

  ip6tables -N gmailimap
  iptables  -N gmailimap4

...

  iptables -I gmailimap4 --destination 74.125.79.111 -j ACCEPT
  iptables -I gmailimap4 --destination 74.125.79.109 -j ACCEPT
   # etc

  ip6tables -I gmailimap --destination 2a00:1450:8005::68 -j ACCEPT
  ip6tables -I gmailimap --destination 2a00:1450:8005::93 -j ACCEPT
   # etc

...

  ip6tables -I OUTPUT -i eth0 -p tcp --destination-port 993 -j gmailimap;
  iptables -I OUTPUT -i eth0 -p tcp --destination-port 993 -j gmailimap4;


All that is just a guess / pseudo-code.

/Lars

Re: randomly changing IPs from different subnets (Google Mail)

[Florian Effenberger]

Hi Lars,

Am 22.06.2010 um 21:16 schrieb Lars Nooden:

the same Lars Nooden as from the OOo mailing lists? If so: It's a small world. ;-)

> The chain is a drop-through list of ip addresses that you have decided are good.  Then make a rule or pair of rules to send tcp traffic for port 993 and port 537 to that user-defined chain.

If I run a script every 60 seconds per cron and add the hostname, it will automatically add all IPs returned by the DNS at that time. However, this changes randomly, and change time is not predictable.

If I add ten times the host and it resolves to the same IP, iptables doesn't recognize that, and I have 10 similar rules. Is there any check for duplicates possible?

If not, how many entries can the table have before it gets sluggish and slow? If I add two rules every 60 seconds, that would make 120 per hour, 2880 per day. Is that too much, do I need to purge them before? I have no experience with large filtering tables...

Florian

Re: randomly changing IPs from different subnets (Google Mail)

[Mart Frauenlob]

On 23.06.2010 10:53, Florian Effenberger wrote:

>
> Am 22.06.2010 um 21:16 schrieb Lars Nooden:
> >
>> The chain is a drop-through list of ip addresses that you have decided are good.  Then make a rule or pair of rules to send tcp traffic for port 993 and port 537 to that user-defined chain.
>
> If I run a script every 60 seconds per cron and add the hostname, it will automatically add all IPs returned by the DNS at that time. However, this changes randomly, and change time is not predictable.
>
> If I add ten times the host and it resolves to the same IP, iptables doesn't recognize that, and I have 10 similar rules. Is there any check for duplicates possible?
>
> If not, how many entries can the table have before it gets sluggish and slow? If I add two rules every 60 seconds, that would make 120 per hour, 2880 per day. Is that too much, do I need to purge them before? I have no experience with large filtering tables...
>
> Florian--


ipset
http://ipset.netfilter.org/

is the answer to that problem, if you insist on doing it with iptables.
all your cron job would have to do is to (pseudo code):

ipset --list gmailset

diff newlist oldlist

ipset --add new_entries
ipset --del dead_IPs


you might have to tinker with your kernel before.

best regards


Mart

Re: randomly changing IPs from different subnets (Google Mail)

[Florian Effenberger]

Hi Mart,

Am 23.06.2010 um 11:33 schrieb Mart Frauenlob:

> ipset
> http://ipset.netfilter.org/
> 
> is the answer to that problem, if you insist on doing it with iptables.

Are there any other solutions, except some sort of proxy?

> all your cron job would have to do is to (pseudo code):
> 
> ipset --list gmailset
> 
> diff newlist oldlist
> 
> ipset --add new_entries
> ipset --del dead_IPs
> 
> 
> you might have to tinker with your kernel before.

Thanks a lot! I wasn't aware of ipset before, but will definitely look into it!

Florian

Re: randomly changing IPs from different subnets (Google Mail)

[Lars Nooden]

On 22.06.2010 um 11:53 schreib Florian Effenberger:
> Hi Lars,
>
> Am 22.06.2010 um 21:16 schrieb Lars Nooden:
>
> the same Lars Nooden as from the OOo mailing lists? If so: It's a
> small world. ;-)

Yes.  Hello again.

>> The chain is a drop-through list of ip addresses that you have
>> decided are good.  Then make a rule or pair of rules to send tcp
>> traffic for port 993 and port 537 to that user-defined chain.
>
> If I run a script every 60 seconds per cron and add the hostname, it
> will automatically add all IPs returned by the DNS at that time.
> However, this changes randomly, and change time is not predictable.

As others mentioned, it is probably a round-robin algorithm for a small 
pool of ip addresses.  Google might even tell you which ones or you can 
keep polling.

Once you acquire a list of the allowed destination ip numbers, the 
hostnames probably don't need to get polled more frequently than the ttl 
for the main dns record.  If you work with the ip addresses, rather than 
the hostnames that need for look-up is minimized.

> If I add ten times the host and it resolves to the same IP, iptables
> doesn't recognize that, and I have 10 similar rules. Is there any
> check for duplicates possible?

AFAIK, not inherently in iptables itself, but if you make a separate 
chain, it is easier to work on it via grep and sort.   Use 'iptables 
-nL' or 'iptables-save' and send the output to grep, looking for the ip 
number in question, if it is not present, add it.   That's simple shell 
scripting.

/Lars

Re: randomly changing IPs from different subnets (Google Mail)

[Jan Engelhardt]

On Wednesday 2010-06-23 13:52, Lars Nooden wrote:
>
>> If I add ten times the host and it resolves to the same IP, iptables
>> doesn't recognize that, and I have 10 similar rules. Is there any
>> check for duplicates possible?
>
> AFAIK, not inherently in iptables itself, but if you make a separate chain, it
> is easier to work on it via grep and sort.   Use 'iptables -nL' or
> 'iptables-save' 

Do not start grepping in iptables -L. That is what iptables -S and
iptables-save are much better suited for.

Re: randomly changing IPs from different subnets (Google Mail)

[Lars Nooden]

Am 23.06.2010 um 14:54 schrieb Jan Engelhardt:

> Do not start grepping in iptables -L.

There is also building iptables rules with a script and re-run that as 
an option.

> That is what iptables -S and iptables-save are much better suited for.

Perhaps the manual pages are out of date then.  There appears to be no 
mention of the option -S in the manual page for iptables v1.2.10 or on 
this web page:

	http://linux.die.net/man/8/iptables

% iptables -S
iptables v1.2.10: Unknown arg `-S'
Try `iptables -h' or 'iptables --help' for more information.

Where are you finding -S ?

Regards,
/Lars

Re: randomly changing IPs from different subnets (Google Mail)

[John Haxby]

On 23/06/10 14:47, Lars Nooden wrote:
> Perhaps the manual pages are out of date then.  There appears to be no 
> mention of the option -S in the manual page for iptables v1.2.10 or on 
> this web page:
>
>     http://linux.die.net/man/8/iptables
>
> % iptables -S
> iptables v1.2.10: Unknown arg `-S'
> Try `iptables -h' or 'iptables --help' for more information.
>
> Where are you finding -S ?

% iptables -V
iptables v1.4.7

% iptables -S
-P INPUT ACCEPT
...

% man iptables
...
        -S, --list-rules [chain]
               Print all rules in the selected chain.  If no chain is 
selected,
               all chains are printed like iptables-save. Like every 
other ipt-
               ables  command, it applies to the specified table (filter 
is the
               default).


jch

Re: randomly changing IPs from different subnets (Google Mail)

[/dev/rob0]

On Wed, Jun 23, 2010 at 04:47:06PM +0300, Lars Nooden wrote:
> Am 23.06.2010 um 14:54 schrieb Jan Engelhardt:
>> Do not start grepping in iptables -L.
>
> There is also building iptables rules with a script and re-run
> that as an option.

Scripts are not recommended because of the possibility of race 
conditions. iptables-restore(8) changes rulesets atomically.

>> That is what iptables -S and iptables-save are much better suited 
>> for.
>
> Perhaps the manual pages are out of date then.  There appears to be 
> no mention of the option -S in the manual page for iptables v1.2.10 
> or on this web page:
>
> 	http://linux.die.net/man/8/iptables
>
> % iptables -S
> iptables v1.2.10: Unknown arg `-S'
> Try `iptables -h' or 'iptables --help' for more information.

http://www.netfilter.org/news.html :

"2004-Jun-15
	New iptables 1.2.10 release ..."

That was SIX YEARS ago.

> Where are you finding -S ?

What is out of date is your version of iptables and that Web page. 
Manuals for recent releases of iptables are up-to-date.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Lars Nooden]

/dev/rob0 wrote:

> http://www.netfilter.org/news.html :
> 
> "2004-Jun-15
> 	New iptables 1.2.10 release ..."
> 
> That was SIX YEARS ago.

Yes and it has worked very well for SIX YEARS on those particular servers.

>> Where are you finding -S ?
> 
> What is out of date is your version of iptables and that Web page. 

I've contacted the responsible parties for both.

> Manuals for recent releases of iptables are up-to-date.

I'm glad that is still the case.

What can be done about the old web tutorials and howtos?  Many have not
been touched in years, even if only to refresh the date stamp and say
things are still valid or to post a warning for staleness.  e.g.:

http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html

If I had to choose one to start with, it might be the Oskar Andreasson
tutorial:

	http://www.frozentux.net/documents/iptables-tutorial/

Regards
/Lars

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[/dev/rob0]

On Wed, Jun 23, 2010 at 05:36:32PM +0300, Lars Nooden wrote:
> /dev/rob0 wrote:
> 
> > http://www.netfilter.org/news.html :
> > 
> > "2004-Jun-15
> > 	New iptables 1.2.10 release ..."
> > 
> > That was SIX YEARS ago.
> 
> Yes and it has worked very well for SIX YEARS on those particular 
> servers.

FWIW I have a Slackware 10.0 server with iptables 1.2.10, which will 
be six years old in October. Nothing wrong with not upgrading if a 
server is working fine.

The point is: I don't assume that's up-to-date. Two years is a long 
time in Linux terms, and we have had three such long times since A.D. 
2004.

> What can be done about the old web tutorials and howtos?  Many have 
> not been touched in years, even if only to refresh the date stamp 

Stamp a big red warning label on the whole WWW, stating that content 
is provided as-is and with no guarantees. :)

> and say things are still valid or to post a warning for staleness.  
> e.g.:
> 
> http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html
> 
> If I had to choose one to start with, it might be the Oskar 
> Andreasson tutorial:
> 
> 	http://www.frozentux.net/documents/iptables-tutorial/

I think Oskar's is still the definitive work, but indeed, it shows 
its age. If I could get a grant, I would be happy to start work on 
updating Oskar's tutorial and Rusty's Unreliable Guides.

Such grants are more likely to be offered to actual Netfilter 
developers, of course. They're more deserving than I am. But I'm 
stuck with bills and expenses, so I have to find something which 
pays. When someone with the time to spare comes along and wants to 
fill the need, it will be done.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Jan Engelhardt]

On Wednesday 2010-06-23 17:13, /dev/rob0 wrote:
>On Wed, Jun 23, 2010 at 05:36:32PM +0300, Lars Nooden wrote:
>> /dev/rob0 wrote:
>> 
>> What can be done about the old web tutorials and howtos?  Many have 
>> not been touched in years, even if only to refresh the date stamp 
>
>Stamp a big red warning label on the whole WWW, stating that content 
>is provided as-is and with no guarantees. :)

What needs to be done is to talk to the Netfilter core people -
Patrick, Pablo - and sort it out. This has been raised before, but
nothing really got out of it because the whole domain and servers is
in some obscurly-secure network that nobody has time to touch.

>> and say things are still valid or to post a warning for staleness.  
>> e.g.:
>> 
>> http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html
>> 
>> If I had to choose one to start with, it might be the Oskar 
>> Andreasson tutorial:
>> 
>> 	http://www.frozentux.net/documents/iptables-tutorial/
>
>I think Oskar's is still the definitive work, but indeed, it shows 
>its age. If I could get a grant, I would be happy to start work on 
>updating Oskar's tutorial and Rusty's Unreliable Guides.

(Oskar's looks a bit like a manpage reproduction.)

There is also mostafa/lxsameer's book project
(http://github.com/mostafa/iptables_book) I just can't find our 
conversation in my archives..

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Lars Nooden]

Jan Engelhardt wrote:

> What needs to be done is to talk to the Netfilter core people -
> Patrick, Pablo - and sort it out. This has been raised before, but
> nothing really got out of it because the whole domain and servers is
> in some obscurly-secure network that nobody has time to touch.

What should be used as the base format * for the 'originals' from now on?

Then, after that is decided, could a place be made in the git repository
for each item in the netfilter documentation page?   Using git would
allow the work to be more easily distributed and possibly ease the
burden of editorial review.

/Lars

* The short list of choices would be Docbook, flatfile OpenDocument, or
TeX.

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Jan Engelhardt]

On Wednesday 2010-06-23 18:15, Lars Nooden wrote:
>Jan Engelhardt wrote:
>
>> What needs to be done is to talk to the Netfilter core people -
>> Patrick, Pablo - and sort it out. This has been raised before, but
>> nothing really got out of it because the whole domain and servers is
>> in some obscurly-secure network that nobody has time to touch.
>
>What should be used as the base format * for the 'originals' from now on?
>
>Then, after that is decided, could a place be made in the git repository
>for each item in the netfilter documentation page?   Using git would
>allow the work to be more easily distributed and possibly ease the
>burden of editorial review.

My preference are LyX documents with a CC-BY-SA license.

I am in the process of collecting "interesting" questions on these
mailing lists to build chapters.

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Grant Taylor]

On 06/23/10 11:36, Jan Engelhardt wrote:
>> What should be used as the base format * for the 'originals' from now on?
> 
> My preference are LyX documents with a CC-BY-SA license.

My vote would be fore DocBook (or some other XML based format).

Conversions there from are almost automatic.  I.e. get the new base, 
pass it through the converters and there you go.

With DocBook, it's trivial to have your XSLT add SSI includes for 
headers and footers to integrate directly in to a web site.  Further, 
DocBook will produce HTML that uses styles for formatting, thus allowing 
consistent theming in a web site.

> I am in the process of collecting "interesting" questions on these 
> mailing lists to build chapters.

DocBook also supports sub-dividing things in to chapters and separate 
documents too.



Grant. . . .

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Jan Engelhardt]

On Wednesday 2010-06-23 20:34, Grant Taylor wrote:

> On 06/23/10 11:36, Jan Engelhardt wrote:
>>> What should be used as the base format * for the 'originals' from now on?
>>
>> My preference are LyX documents with a CC-BY-SA license.
>
> My vote would be fore DocBook (or some other XML based format).

I want to concentrate on text, not the markup.
Given lyx is inherently convertible to latex, I don't see a problem.

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Grant Taylor]

On 06/23/10 13:41, Jan Engelhardt wrote:
> I want to concentrate on text, not the markup.

Ok.

Are you not specifying what various things are in LyX?

If I recall correctly, LyX is almost a WYSIWYG* (but not quite) when it 
comes to marking things up.  Visual marking up rather than including tags.

> Given lyx is inherently convertible to latex, I don't see a problem.

True...

Based on the reading that I've done, DocBook will convert to more 
formats than LyX will, including latex.  Where as LyX / latex can't back 
convert to as many thins as DocBook will.

Just my $0.02 worth, not wanting to start a vim/emacs war or any thing.  ;-)



Grant. . . .


*  I know that LyX is "What You See Is What You Mean" not "What You See 
Is What You Get".  But I'm referring to the fact that you highlight a 
section of text and say that it's a given formatting.

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Andrew Beverley]

> Stamp a big red warning label on the whole WWW, stating that content 
> is provided as-is and with no guarantees. :)
> 

I'm quite keen to get involved with the website/documentation. It's
something I was going to volunteer for at some point down the line, once
I have accomplished a couple of other things I am working on.

In my opinion, the whole of the netfilter project is underused because
of the patchy documentation (it took me a long time to learn even some
of the basics). It's an amazing set of software, and I'd like to see it
used to its full potential.

Andy

Re: Documentation (was Re: randomly changing IPs from different subnets (Google Mail))

[Grant Taylor]

On 06/24/10 01:17, Andrew Beverley wrote:
> In my opinion, the whole of the netfilter project is underused 
> because of the patchy documentation (it took me a long time to learn 
> even some of the basics). It's an amazing set of software, and I'd 
> like to see it used to its full potential.

Agreed.

Something else to keep in mind is that a lot of people that are starting 
with NetFilter are also starting with firewalling in general.  So in 
actuality they have a couple of things that they are learning at the 
same time, 1) firewalling concepts, and 2) NetFilter's implementation.

With this in mind, it might be good to have detailed NetFilter specific 
documentation (2 above) and reference generic firewalling documentation 
(1 above).  So that people have as much of what is needed all in one 
location (site / documentation set).



Grant. . . .

Re: randomly changing IPs from different subnets (Google Mail)

[Florian Effenberger]

Hi Lars,

Am 23.06.2010 um 13:52 schrieb Lars Nooden:

>> the same Lars Nooden as from the OOo mailing lists? If so: It's a
>> small world. ;-)
> 
> Yes.  Hello again.

it's a small world. ;-) Great to see you here!

> As others mentioned, it is probably a round-robin algorithm for a small pool of ip addresses.  Google might even tell you which ones or you can keep polling.

Hm, anyone has a good contact at Google? In my experience it's rather hard to reach them...

Florian

Re: randomly changing IPs from different subnets (Google Mail)

[Grant Taylor]

On 06/23/10 06:52, Lars Nooden wrote:
> As others mentioned, it is probably a round-robin algorithm for a small 
> pool of ip addresses.  Google might even tell you which ones or you can 
> keep polling.

You might consider finding out what IP address space Google has 
registered (think BGP tables).



Grant. . . .

Re: randomly changing IPs from different subnets (Google Mail)

[Jan Engelhardt]

On Tuesday 2010-06-22 20:30, Florian Effenberger wrote:

>Hi Jan,
>
>thanks for the fast reply!
>
>Am 22.06.2010 um 20:19 schrieb Jan Engelhardt:
>
>> So create another chain. The in-memory table does not know DNS, and 
>> rightfully so.
>
>what does another chain help?

That you can independently refill the extra chain without having
to touch other rules. That is to say,

forall (addrs) {
	add_new_addrs to chain;
	++i;
}
while (delete rules from chain with an index #i does not throw an error)
	;

That gets harder when you have extra rules in the chain you are 
manipulating.

Alternatively, you could issue the delete operation with i+10
to keep the previous addresses around - and let them die off
by this pseudo-LRU mechanism.

>I need to keep some records in the tables, because of clients that 
>might have still the "old" address in their cache. The tables get 
>cluttered anyways, no matter if I use one or several user-defined 
>chains.

Re: randomly changing IPs from different subnets (Google Mail)

[Jeff Largent]

On Tue, 22 Jun 2010 20:16:34 +0200
Florian Effenberger <floeff@gmail.com> wrote:

> Hi,
> 
> my default network policy is to block all outgoing traffic and only allow certain packets to pass. For some users, I'd like to open up Google Mail (imap.gmail.com:993 and smtp.gmail.com:587). However, Google's DNS give randomly out different IPs per query. Sadly, they are not all located within a subnet, but vary in all parts of the address.
> 
> If I want to have destination host based rules, how can I do this with iptables? My current idea is to run a cron job every few minutes to add the rules again with the changed IPs, but this sounds like an ugly workaround, and will clutter my user-defined chain heavily.
> 
> Is there any other approach, other than opening up all traffic to 993 and 587?
> 
> Thanks,
> Florian--
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Are they actually random or are they just round robined from DNS?
If they are coming from a round robin queue then when you add smtp.gmail.com
iptables will add a rule for each address it resolves to.
Another option may be to do a lookup on MX record for gmail.com and add those
hosts.

tracer1:~$> dig -t MX +short gmail.com 
40 alt4.gmail-smtp-in.l.google.com.
5 gmail-smtp-in.l.google.com.
10 alt1.gmail-smtp-in.l.google.com.
20 alt2.gmail-smtp-in.l.google.com.
30 alt3.gmail-smtp-in.l.google.com.





-- 
Jeff Largent <jwlargent@vlsmaps.com>

Re: randomly changing IPs from different subnets (Google Mail)

[/dev/rob0]

> Florian Effenberger <floeff@gmail.com> wrote:
> > my default network policy is to block all outgoing traffic and 
> > only allow certain packets to pass. For some users, I'd like to 
> > open up Google Mail (imap.gmail.com:993 and smtp.gmail.com:587). 
> > However, Google's DNS give randomly out different IPs per query. 
> > Sadly, they are not all located within a subnet, but vary in all 
> > parts of the address.
> > 
> > If I want to have destination host based rules, how can I do this 
> > with iptables? My current idea is to run a cron job every few 
> > minutes to add the rules again with the changed IPs, but this 
> > sounds like an ugly workaround, and will clutter my user-defined 
> > chain heavily.
> > 
> > Is there any other approach, other than opening up all traffic to 
> > 993 and 587?

I would suggest that you ask them, not us. They can tell you what 
netblocks to allow, if they are so inclined.


On Tue, Jun 22, 2010 at 01:55:22PM -0500, Jeff Largent wrote:
> Are they actually random or are they just round robined from DNS?

I get a CNAME for smtp.gmail.com, and only one IP with a short TTL 
for that:
smtp.gmail.com.		300	IN	CNAME	gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 300 IN	A	74.125.157.109
Likewise for imap.gmail.com. 5 minutes later I tried again and got 
the same one. But, that could change at any time, without warning.

> If they are coming from a round robin queue then when you add 
> smtp.gmail.com iptables will add a rule for each address it 
> resolves to.

Right, but not for this one.

> Another option may be to do a lookup on MX record for gmail.com and 
> add those hosts.

This is not right. The submission hosts are NOT the MX hosts, nor are 
the MX hosts the same as the IMAP ones. Submission requires SMTP 
AUTH, mail exchange does not. And surely the MX hosts use extensive 
spam controls, as well.
-- 
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header

Re: randomly changing IPs from different subnets (Google Mail)

[Mike Lay]

i feel like this may be a proxy based solution.

On Tue, 22 Jun 2010 20:09:46 -0500
/dev/rob0 <rob0@gmx.co.uk> wrote:

> > Florian Effenberger <floeff@gmail.com> wrote:
> > > my default network policy is to block all outgoing traffic and 
> > > only allow certain packets to pass. For some users, I'd like to 
> > > open up Google Mail (imap.gmail.com:993 and smtp.gmail.com:587). 
> > > However, Google's DNS give randomly out different IPs per query. 
> > > Sadly, they are not all located within a subnet, but vary in all 
> > > parts of the address.
> > > 
> > > If I want to have destination host based rules, how can I do this 
> > > with iptables? My current idea is to run a cron job every few 
> > > minutes to add the rules again with the changed IPs, but this 
> > > sounds like an ugly workaround, and will clutter my user-defined 
> > > chain heavily.
> > > 
> > > Is there any other approach, other than opening up all traffic to 
> > > 993 and 587?
> 
> I would suggest that you ask them, not us. They can tell you what 
> netblocks to allow, if they are so inclined.
> 
> 
> On Tue, Jun 22, 2010 at 01:55:22PM -0500, Jeff Largent wrote:
> > Are they actually random or are they just round robined from DNS?
> 
> I get a CNAME for smtp.gmail.com, and only one IP with a short TTL 
> for that:
> smtp.gmail.com.		300	IN	CNAME
> gmail-smtp-msa.l.google.com. gmail-smtp-msa.l.google.com. 300
> IN	A	74.125.157.109 Likewise for imap.gmail.com. 5
> minutes later I tried again and got the same one. But, that could
> change at any time, without warning.
> 
> > If they are coming from a round robin queue then when you add 
> > smtp.gmail.com iptables will add a rule for each address it 
> > resolves to.
> 
> Right, but not for this one.
> 
> > Another option may be to do a lookup on MX record for gmail.com and 
> > add those hosts.
> 
> This is not right. The submission hosts are NOT the MX hosts, nor are 
> the MX hosts the same as the IMAP ones. Submission requires SMTP 
> AUTH, mail exchange does not. And surely the MX hosts use extensive 
> spam controls, as well.