LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-04-2009, 07:47 AM   #1
codenjanod
Member
 
Registered: Oct 2006
Posts: 38

Rep: Reputation: 15
IPTables How to make outgoing traffic show from a different IP address


Hi all,

I have a Linux IPTables firewall on Centos 5.3.
It has one physical interface to the internet and 2 internal interfaces to a DMZ and TRUSTED zone respectively.

There are 10 virtual interfaces linked to the physical public interface.

Emails are being sent from my server in the DMZ out to the internet, but it is being shown as coming from the firewall IP address.
It must show as coming from one of the virtual interfaces.

How would I set that up ??

Thanks
 
Old 11-04-2009, 10:20 AM   #2
bertl
Member
 
Registered: May 2004
Location: Amsterdam, Holland
Distribution: Ubuntu, Redhat, Angstrom (others in the past)
Posts: 33

Rep: Reputation: 21
Do you have a range of IP addresses assigned from your provider - are the aliases on the public interface actual routable addresses?

If not (if you only have one IP assigned) you won't be able to do this - only that one IP will be found from the Internet, any other isn't routable to you so you can't use anything else for public Internet communication.

Considering all those addresses are valid and routable, you currently apparently have one catch all nat rule set up, maybe something like

Code:
# iptables -t nat -A -s DMZ-range/24 -o public_eth0 -j MASQUERADE
or

Code:
# iptables -t nat -A -s DMZ-range/24 -o public_eth0 -j SNAT --to first-ip-on-public_eth0
If you want something specific for your mail host and your mail host has a non routable IP (172.17.x? 192.168.x? 10.x.y.z?) than you could do

Code:
# iptables -t nat -A -s dmz-ip-of-mail-host -o public_eth0 -j SNAT --to alias-ip-of-your-liking
If it actually has its own routable/public IP, you can just forward, you shouldn't do any NAT.

Apart from all this you'll still have to drill appropriate holes in your iptables filter chains, and especially make sure you don't leave open too much of your nicely firewalled off DMZ.

-Bert
 
Old 11-05-2009, 12:23 AM   #3
codenjanod
Member
 
Registered: Oct 2006
Posts: 38

Original Poster
Rep: Reputation: 15
IPTables How to make outgoing traffic show from a different IP address

Hi bertl,

This is what I currently have in my script for this client:

Code:
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_EB1 --dport 25 -j allowed
Code:
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $VIRT_PUBL_IP --dport 25 -j DNAT --to-destination $DMZ_SMTP_EB1

And the only SNAT rule I do have is:

Code:
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
Where:
$INET_IFACE = eth0
$DMZ_IFACE = eth2
$DMZ_SMTP_EB1 = Private IP of my DMZ SMTP server
$VIRT_PUBL_IP = Public IP the client is connecting to and needs to send from
$INET_IP = The public IP of the firewall

And when SMTP traffic leaves the system it is shown that it is coming from the firewall public IP address, instead of the $VIRT_PUBL_IP
This is my first firewall script and I am still learning, so thanks a bunch for your help so far.


Thanks

Last edited by codenjanod; 11-05-2009 at 12:32 AM.
 
Old 11-05-2009, 02:51 AM   #4
codenjanod
Member
 
Registered: Oct 2006
Posts: 38

Original Poster
Rep: Reputation: 15
IPTables How to make outgoing traffic show from a different IP address

Hi,

I managed to sort it out.
This is what I did.

All the incoming NAT's were fine, but we have various clients sending out emails from one of our DMZ servers.
One specific client did not want to go out via the default SMTP public IP address, so I had to create a virtual IP address.

My rules basically looked like this:

Code:
$IPTABLES -t nat -A POSTROUTING -p TCP -o $INET_IFACE -s $DMZ_SMTP_EB1 --dport 25 -d <DST_IP> -j SNAT --to $Vrt_216_IP
The above will allow this client to go out on the specific IP address they want to go out on.

And the blow rules keep the SMTP traffic for the rest of the clients the same.

Code:
$IPTABLES -t nat -A POSTROUTING -p TCP -o $INET_IFACE -s $DMZ_SMTP_EB1 -j SNAT --to $SMTP_EB_EXT_IP

$IPTABLES -t nat -A POSTROUTING -p TCP -o $INET_IFACE -s $DMZ_SMTP_EM1 -j SNAT --to $SMTP_EM_EXT_IP

Thanks for the tips
 
Old 11-05-2009, 01:10 PM   #5
bertl
Member
 
Registered: May 2004
Location: Amsterdam, Holland
Distribution: Ubuntu, Redhat, Angstrom (others in the past)
Posts: 33

Rep: Reputation: 21
Glad it worked out!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forward outgoing smtp traffic from linux mail server to window machine using iptables r.bhange Linux - Networking 2 06-04-2009 12:39 AM
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
Iptables/TC: how to make masqueraded traffic go through an openVPN tun0? theVOID Linux - Networking 3 04-25-2008 03:34 AM
Iptables - Redirecting Outgoing Traffic Frankablu Linux - Networking 1 06-12-2005 01:18 PM
iptables : how do I block inbound traffic from one ip address only? Apollo77 Linux - Security 7 03-22-2004 10:22 AM


All times are GMT -5. The time now is 07:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration