LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-22-2009, 10:33 AM   #1
sank1800
LQ Newbie
 
Registered: Feb 2009
Posts: 11

Rep: Reputation: 0
Question challenging situation with iptables


This is quite similar to my last post (which I solved by allowing only web mail access) but the situation is complex here.

A client is currently hosting in house mail server and wants to move to a ISP hosted mail solutions. Currently they are using a DSL connection with static IP address. They have a Ubuntu box running iptables / sqiud to control web access and client pcs can access Internet only through the proxy.

The issue here is ISP going to give server names instead of the ip addresses for the smtp / pop3 / imap (ex: smtp.isp.com instead of xxx.xxx.xxx.xxx) and according to them the IPs are load balanced and may be changed without notice if they face a Denial of Service attack / high spam load.

Since I cannot proxy those email protocols the only solution is I have is to configure default gateway of the client pcs to the Ubuntu box and open iptables to above service ports.

As far as I know iptables cannot control access based on domain names so my question is how can I tell iptables to allow connections only to the server names given by ISP.

Thanks in advance (please note allowing only webmail is not going to work with this client).

Last edited by sank1800; 03-22-2009 at 10:49 AM.
 
Old 03-22-2009, 12:48 PM   #2
ddaemonunics
Member
 
Registered: May 2008
Location: Romania
Distribution: Debian
Posts: 242

Rep: Reputation: 41
"As far as I know iptables cannot control access based on domain names"

how did you get to this conclusion ?
 
Old 03-23-2009, 01:28 AM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by ddaemonunics View Post
"As far as I know iptables cannot control access based on domain names"

how did you get to this conclusion ?
If you execute an iptables rule using a domain name, the IP is immediately substituted for it (a lookup is performed). So if the IP for the domain ever changes, your intended configuration won't apply any more. Depending on what you were doing, you could end up denying an authorized connection, or allowing an unauthorized one. So basically, you don't ever want to use domain-based iptables rules unless you're 100% certain the IP which will be resolved won't change (or you have some means of getting the iptables configuration updated dynamically, or you don't care about the potential problems, or it's just a band-aid while you figure out what to do, etc.).

Last edited by win32sux; 03-23-2009 at 01:32 AM.
 
Old 03-24-2009, 05:01 AM   #4
sank1800
LQ Newbie
 
Registered: Feb 2009
Posts: 11

Original Poster
Rep: Reputation: 0
Hi,

Thanks for the replies. Regarding win32sux's answer if a lookup is performed when a domain name is used won't it automatically allow to access the new ip if the ip address for the domain name changes (iptables has access to DNS)? If I get it wrong please explain. thanks.
 
Old 03-24-2009, 01:07 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by sank1800 View Post
Hi,

Thanks for the replies. Regarding win32sux's answer if a lookup is performed when a domain name is used won't it automatically allow to access the new ip if the ip address for the domain name changes (iptables has access to DNS)? If I get it wrong please explain. thanks.
The lookup is only performed when the rule is executed - not when it's used. Therefore, whatever IP you get when it's executed will be the IP you remain with until the rule is deleted.
 
Old 03-24-2009, 05:05 PM   #6
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by sank1800 View Post
Hi,

Thanks for the replies. Regarding win32sux's answer if a lookup is performed when a domain name is used won't it automatically allow to access the new ip if the ip address for the domain name changes (iptables has access to DNS)? If I get it wrong please explain. thanks.
One solution (not necessarily the best) is to write a simple script and cron it to regularly test the value of the ip address vs the iptables rule, if they're not the same then flush and reload iptables (which will give it the new ip at run time) (or delete the rule and readd it depending how you're iptables is configured).

Last edited by rweaver; 03-24-2009 at 05:11 PM.
 
Old 03-27-2009, 11:15 AM   #7
bslorence
LQ Newbie
 
Registered: Mar 2009
Posts: 3

Rep: Reputation: 1
Quote:
Originally Posted by sank1800 View Post
Since I cannot proxy those email protocols
What constraints are preventing you from doing this? Have you not been able to find reliable software for the job, or is it something about the customer's environment or requirements?
 
Old 03-31-2009, 11:22 PM   #8
sank1800
LQ Newbie
 
Registered: Feb 2009
Posts: 11

Original Poster
Rep: Reputation: 0
bslorence, yes I couldn't find reliable software for this. From what I learn Squid not capable of this and I couldn't find another good software. Do you have any suggestions?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
challenging RAID reconfiguration Chojin Linux - Server 0 03-15-2009 04:18 PM
Need Help in these Challenging Project] netsoft2005 Linux - General 3 03-14-2006 12:46 AM
Please Help!! (Really Challenging Question) waiser General 0 12-17-2004 01:01 PM
Challenging question about iptables Neorio Linux - Networking 4 04-15-2004 03:02 AM
challenging programming problems Nevion Programming 3 12-16-2003 12:59 PM


All times are GMT -5. The time now is 01:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration