routing mail traffic through a second interface

routing mail traffic through a second interface

[Julien]

Hi,

I have been trying for a few days now to route mail traffic on a 
different connection than rest of traffic using iproute2, I already did 
some posts regarding this problem, and thanks to help of guys here and 
in the lartc mailing list I succedeed to have a little improvement.

Here are the box infos :

Slackware 9.1 (Linux 2.4.22)
Two dsl connections via pppoe

I only care about locally generated mail traffic but I didn't succeed 
making it as the mta level.

I did :
iptables −A OUTPUT −i eth0 −t mangle −p tcp −−dport 25 −j MARK −−set−mark 1
echo 201 mail.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table mail.out
ip route add default via [Second's ISP Gateway] dev ppp1 table mail.out

In order to make packets go out with correct source ip address :
iptables -t nat --append POSTROUTING -p tcp --dport 25 --jump SNAT 
--to-source [Second's ISP external IP]

The current situation :
I can see with tcpdump packets going out, and back but if I do telnet 
someisp.com 25 I see nothing in the terminal.

I really don't know what can be wrong and found no answer neither in the 
mailing list archive, in the lartc howto or in the advanced routing howto.

Here is the tcpdump log when doing telnet 213.41.143.209 25 :

13:12:36.296170 81.48.224.208.51061 > 213.41.143.209.smtp: S 
3495988204:3495988204(0) win 5808 <mss 1452,sackOK,timestamp 7706419 
0,nop,wscale 0> (DF) [tos 0x10]
13:12:36.437196 213.41.143.209.smtp > 81.48.224.208.51061: S 
687160518:687160518(0) ack 3495988205 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203422 7706419> (DF)
13:12:38.703028 213.41.143.209.smtp > 81.48.224.208.51060: S 
1256669228:1256669228(0) ack 3496982511 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203426 7706045> (DF)
13:12:39.292786 81.48.224.208.51061 > 213.41.143.209.smtp: S 
3495988204:3495988204(0) win 5808 <mss 1452,sackOK,timestamp 7706719 
0,nop,wscale 0> (DF) [tos 0x10]
13:12:39.428299 213.41.143.209.smtp > 81.48.224.208.51061: S 
687160518:687160518(0) ack 3495988205 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203428 7706719> (DF)
13:12:40.398787 213.41.143.209.smtp > 81.48.224.208.51059: S 
957484233:957484233(0) ack 3482227097 win 16800 <mss 
1412,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 536203430 7705616> (DF)

Thanks for your help !

Julien

Re: routing mail traffic through a second interface

[Samuel Jean]

Hi Julien,

Julien <dyna@tri-oxyde.org> wrote:

> Hi,
>
> I have been trying for a few days now to route mail traffic on a=20
> different connection than rest of traffic using iproute2, I already did=20
> some posts regarding this problem, and thanks to help of guys here and=20
> in the lartc mailing list I succedeed to have a little improvement.
>
> Here are the box infos :
>
> Slackware 9.1 (Linux 2.4.22)
> Two dsl connections via pppoe
>
> I only care about locally generated mail traffic but I didn't succeed=20
> making it as the mta level.
>
> I did :
> iptables =E2=88=92A OUTPUT =E2=88=92i eth0 =E2=88=92t mangle =E2=88=92p t=
> cp =E2=88=92=E2=88=92dport 25 =E2=88=92j MARK =E2=88=92=E2=88=92set=E2=88=
> =92mark 1
> echo 201 mail.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 1 table mail.out
> ip route add default via [Second's ISP Gateway] dev ppp1 table mail.out
>

Why not use the ROUTE target ?

Let's say your normal flow goes through ppp0 by default.

def_int=ppp0
iptables -t mangle -I OUTPUT -o $def_int -p tcp --dport 25 -j ROUTE --oif
ppp1 --continue

So now, all traffic generated from the computer itself will use ppp1 as
the outgoing interface. Do not forget the --continue which means the
packet will continue traversing other rules.

> In order to make packets go out with correct source ip address :
> iptables -t nat --append POSTROUTING -p tcp --dport 25 --jump SNAT=20
> --to-source [Second's ISP external IP]
>

Correct.

> The current situation :
> I can see with tcpdump packets going out, and back but if I do telnet=20
> someisp.com 25 I see nothing in the terminal.
>

Are you sniffing on ppp1 ?
Did you enable NAT of local connection ?

> I really don't know what can be wrong and found no answer neither in
> the=20
> mailing list archive, in the lartc howto or in the advanced routing howto=
> .
>

I can actually not answer.  Please provide more details such as related
Conntrack entries, commands you executed to troubleshoot, etc.



-- 
Samuel Jean
SysAdmin & NetAdmin
at cookinglinux.org

Re: routing mail traffic through a second interface

[Samuel Jean]

Hi Julien,

Julien <dyna@tri-oxyde.org> wrote:

> Hi,
>
> I have been trying for a few days now to route mail traffic on a=20
different connection than rest of traffic using iproute2, I already
did=20 some posts regarding this problem, and thanks to help of guys
here and=20 in the lartc mailing list I succedeed to have a little
improvement.
>
> Here are the box infos :
>
> Slackware 9.1 (Linux 2.4.22)
> Two dsl connections via pppoe
>
> I only care about locally generated mail traffic but I didn't succeed=20
making it as the mta level.
>
> I did :
> iptables =E2=88=92A OUTPUT =E2=88=92i eth0 =E2=88=92t mangle =E2=88=92p
t= cp =E2=88=92=E2=88=92dport 25 =E2=88=92j MARK
=E2=88=92=E2=88=92set=E2=88= =92mark 1
> echo 201 mail.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 1 table mail.out
> ip route add default via [Second's ISP Gateway] dev ppp1 table mail.out
>

Why not use the ROUTE target ?

Let's say your normal flow goes through ppp0 by default.

def_int=ppp0
iptables -t mangle -I OUTPUT -o $def_int -p tcp --dport 25 -j ROUTE --oif
ppp1 --continue

So now, all traffic generated from the computer itself will use ppp1 as
the outgoing interface. Do not forget the --continue which means the
packet will continue traversing other rules.

> In order to make packets go out with correct source ip address :
iptables -t nat --append POSTROUTING -p tcp --dport 25 --jump SNAT=20
--to-source [Second's ISP external IP]
>

Correct.

> The current situation :
> I can see with tcpdump packets going out, and back but if I do telnet=20
someisp.com 25 I see nothing in the terminal.
>

Are you sniffing on ppp1 ?
Did you enable NAT of local connection ?

> I really don't know what can be wrong and found no answer neither in the=20
> mailing list archive, in the lartc howto or in the advanced routing
howto= .
>

I can actually not answer.  Please provide more details such as related
Conntrack entries, commands you executed to troubleshoot, etc.



-- 
Samuel Jean
SysAdmin & NetAdmin
at cookinglinux.org



-- 
Samuel Jean
SysAdmin & NetAdmin
at cookinglinux.org