Using a different OUTGOING IP ADDRESS

daveginorge · 06-23-2010, 05:03 AM

Hi All
CentOS 5x

I am testing my setup which will have 2 public servers. HTTP & MAIL both with reverse DNS established.

www.mydomain.no -> xxx.xxx.xxx.034 -> internal name server
mail.mydomain.no -> xxx.xxx.xxx.035 -> internal name mail
Both addresses are on the same NIC with 34 being the main address.

The system work fine except one thing. The IP address mail sends out from is the Firewall Address _FW. I can see why as the default gateway set on the mail server is the FW_IP (The main gateway ip)
How can I get the MAIL server to send through it's own public IP.

I understand I can change the Firewall public IP to that of the Mail server and that would cure the problem for now. If it's possible I would like to learn a little in the process.

Clip from a test email routing information
Received: from mail.mydomain.no (www.mydomain.no [xxx.xxx.xxx.34])

I have the following in my iptables

# PUBLIC_IP_FW & PUBLIC_IP_SP are the same but will allow future changes without major rewrite
PUBLIC_IP_FW="xxx.xxx.xxx.34"
PUBLIC_IP_SP="xxx.xxx.xxx.34"
PUBLIC_IP_MAIL="xxx.xxx.xxx.35"

# Default gateway IP Address
FW_IP="192.168.1.1"
SERVER_IP="192.168.1.10"
MAIL_IP="192.168.1.20"

SERVER_PORTS="80,443,3389,5988,6005,9991,61616"
MAIL_PORTS="25,80,110,143,443,3389"

# SERVER SERVER - HTTP HTTPS RDP BIM-SERVER - xxx.xxx.xxx.34
iptables -A FORWARD -p tcp -d $SERVER_IP -m multiport --dports $SERVER_PORTS -j ACCEPT

# MAIL SERVER - SMTP HTTP POP IMAP HTTPS RDP - xxx.xxx.xxx.35
iptables -A FORWARD -p tcp -d $MAIL_IP -m multiport --dports $MAIL_PORTS -j ACCEPT

iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $FW_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $PUBLIC_IP_FW -j ACCEPT
iptables -A OUTPUT -p ALL -s $PUBLIC_IP_MAIL -j ACCEPT

# SERVER SERVER
iptables -t nat -A PREROUTING -d $PUBLIC_IP_SP -p tcp -m multiport --dports $SERVER_PORTS -j DNAT --to $SERVER_IP

# MAIL SERVER
iptables -t nat -A PREROUTING -d $PUBLIC_IP_MAIL -p tcp -m multiport --dports $MAIL_PORTS -j DNAT --to $MAIL_IP

# SERVER SERVER
iptables -t nat -A POSTROUTING -d $SERVER_IP -s $LOCAL_NET -j SNAT --to-source $FW_IP

# MAIL SERVER
iptables -t nat -A POSTROUTING -d $MAIL_IP -s $LOCAL_NET -p tcp -m multiport --dports $MAIL_PORTS -j SNAT --to-source $FW_IP

# Masquarade to internet
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $PUBLIC_IP_FW

Thanks for taking the time to read this.

nimnull22 · 06-24-2010, 02:01 PM

You put it to iptables:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $PUBLIC_IP_FW

What did you expect? Iptables does its best and changes every IP goes out of the eth1 to $PUBLIC_IP_FW.

You can specify that port: MAIL_PORTS="25,80,110,143,443,3389", should be SNAT'ed differently.

daveginorge · 06-26-2010, 06:14 AM

Thanks for the reply. I can see the error but how to correct it

How do I make changes to the rule that is causing the problem
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $PUBLIC_IP_FW

so everything from the MAIL_IP with address PUBLIC_IP_MAIL="xxx.xxx.xxx.35" appears from that address

and everything from the FW_IP with address PUBLIC_IP_FW="xxx.xxx.xxx.34" appears from that address.

Also maintaining local (LAN) access to both

nimnull22 · 06-26-2010, 06:30 AM

Look, this rule means:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $PUBLIC_IP_FW

change EVERY packet IP that goes out from interface ETH1 to IP=$PUBLIC_IP_FW.
That rule doesn't care about "what inside" of the traffic, it cares only about outgoing interface.
You can add "--dports $MAIL_PORT" to that rule.
BUT you have to remember that iptables check rules from TOP to BOTTOM, so if most detailed rule will be bellow most common it will never be reached.

Please, post output of the command "iptables-save", WITHOUT any private IPs.

daveginorge · 06-26-2010, 06:39 AM

Hi Thanks for your time.

Here is the complete output with Public info changed

Code:

# Generated by iptables-save v1.3.5 on Sat Jun 26 13:34:22 2010
*filter
:INPUT DROP [37035:2066150]
:FORWARD DROP [6:5156]
:OUTPUT DROP [9:12040]
:okay - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -i eth0 -j ACCEPT 
-A INPUT -s 127.0.0.1 -i lo -j ACCEPT 
-A INPUT -s 192.168.1.1 -i lo -j ACCEPT 
-A INPUT -s xxx.xxx.xxx.34 -i lo -j ACCEPT 
-A INPUT -d 192.168.1.255 -i eth0 -j ACCEPT 
-A INPUT -d xxx.xxx.xxx.34 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j okay 
-A INPUT -i eth1 -p tcp -m tcp --dport 2929 -j okay 
-A INPUT -i eth1 -p udp -m udp --dport 2049 -j okay 
-A INPUT -i eth1 -p tcp -m tcp --dport 5900 -j ACCEPT 
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j okay 
-A INPUT -i eth1 -p tcp -m tcp --dport 113 -j okay 
-A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 8 -j DROP 
-A INPUT -i eth1 -p icmp -m icmp --icmp-type 11 -j ACCEPT 
-A FORWARD -d 192.168.1.10 -p tcp -m multiport --dports 80,443,3389,5988,6005,9991,61616 -j ACCEPT 
-A FORWARD -d 192.168.1.20 -p tcp -m multiport --dports 25,80,110,143,443,3389 -j ACCEPT 
-A FORWARD -i eth0 -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -s 127.0.0.1 -j ACCEPT 
-A OUTPUT -s 192.168.1.1 -j ACCEPT 
-A OUTPUT -s xxx.xxx.xxx.34 -j ACCEPT 
-A OUTPUT -s xxx.xxx.xxx.35 -j ACCEPT 
-A okay -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A okay -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A okay -p tcp -j DROP 
COMMIT
# Completed on Sat Jun 26 13:34:22 2010
# Generated by iptables-save v1.3.5 on Sat Jun 26 13:34:22 2010
*nat
:PREROUTING ACCEPT [2192789:154621095]
:POSTROUTING ACCEPT [4846:269616]
:OUTPUT ACCEPT [625839:47048657]
-A PREROUTING -d xxx.xxx.xxx.34 -p tcp -m multiport --dports 80,443,3389,5988,6005,9991,61616 -j DNAT --to-destination 192.168.1.10 
-A PREROUTING -d xxx.xxx.xxx.35 -p tcp -m multiport --dports 25,80,110,143,443,3389 -j DNAT --to-destination 192.168.1.20 
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.10 -j SNAT --to-source 192.168.1.1 
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.20 -p tcp -m multiport --dports 25,80,110,143,443,3389 -j SNAT --to-source 192.168.1.1 
-A POSTROUTING -o eth1 -j SNAT --to-source xxx.xxx.xxx.34 
COMMIT
# Completed on Sat Jun 26 13:34:22 2010

nimnull22 · 06-26-2010, 07:11 AM

Try. Type on root console:

Code:

iptables -t nat -I POSTROUTING 5 -o eth1 -m multiport --dports 25,80,110,143,443,3389 -j SNAT --to-source $PUBLIC_IP_MAIL

Then, when you press enter, this rule will go to iptables immediately, but you need to check it.
Type "iptable-save", and in the output you have to find you new rule BETWEEN:
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 19...
--> HERE
-A POSTROUTING -o eth1 -j SNAT --to...

daveginorge · 06-26-2010, 07:21 AM

Hi Thanks for your reply

Will that send all traffic on these ports 25,80,110,143,443,3389 to $PUBLIC_IP_MAIL (xxx.xxx.xxx.35)

We also need traffic on 80,443,3389 to also be available at PUBLIC_IP_FW (xxx.xxx.xxx.34)

I'm off to try this anyway.

daveginorge · 06-26-2010, 07:33 AM

Thank you nimnull22 that was the golden answer I needed.

daveginorge · 06-26-2010, 08:11 AM

I was Jublient a bit too soon.

That sends all packets on those ports out at that address

How can I configure it to send

example. 80 443 3389
MAIL_PORTS on MAIL_SERVER ---> PUBLIC_MAIL_IP

example. 80 443 3389
SERVER_PORTS on SERVER_SERVER ---> PUBLIC_FW_IP

I'm experimenting here hoping for a break through

daveginorge · 06-26-2010, 08:47 AM

Thanks to ideas I finally got the result I was after. The final line needed was

Code:

iptables -t nat -I POSTROUTING 3 -s $MAIL_IP -p tcp -m multiport --dports 25,80,110,143,443,3389 -j SNAT --to-source $PUBLIC_IP_MAIL

So the bottom of my script looks like this

# Masquarade to internet

Code:

iptables -t nat -A POSTROUTING -s $MAIL_IP -p tcp -m multiport --dports $MAIL_PORTS -j SNAT --to-source $PUBLIC_IP_MAIL
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $PUBLIC_IP_FW

Thus allowing communication of defined PORTS to defined IP_ADDRESSES

THANKS AGAIN FOR THE HELP

nimnull22 · 06-26-2010, 08:48 AM

As long as you already used "-o eth1" and "--dports" instruction, you need to add something else, which will describe the difference. It can be a destination address, "-d x.x.x.x" if it is static.

Or like you did, if source IP is different.

And you need to add new rules to the start script, to load them all together every boot time.

Anyway, you are welcome.