SMTP routing woes...

Scott gneamob at yahoo.com
Fri Mar 11 14:17:27 CET 2005 

Hello everyone, I am a new subscriber and longtime
linux/netfilter user.  On a remote host we've got an
ISP who has blocked all outgoing SMTP traffic except
to its own SMTP servers due to its IP ranges being
abused by spammers and open relays.  We run a legit
exim4+spamassasin+clamav with all relays turned off
except for authenticated MX domains.  However, this is
not good enough for the ISP so we need to implement a
fix to our other 'good' hosts.  I have read many
documents and other googled sources, including David
Coulsen's articles, and yet finding a solution that
fits this problem is simply not working.  Perhaps
someone on here can lead me in the right direction
because we are losing emails in a negative manner.  It
is my understanding thus far that I am missing a
POSTROUTING rule but I don't know how to form it
properly, I've tried several with no success.  Here's
the setup:

main routing table:

10.0.8.1 dev tun0  proto kernel  scope link  src
10.0.8.2 
X.X.X.X dev ppp0  proto kernel  scope link  src
Y.Y.Y.Y
10.0.8.0/30 via 10.0.8.1 dev tun0 
W.W.W.W/NM dev tun0  scope link 
W.W.W.W/NM dev eth1  proto kernel  scope link  src
W.W.W.Z
10.1.9.0/27 dev eth1  proto kernel  scope link  src
10.1.9.1 
default via X.X.X.X dev ppp0 

routing table rules:

0: from all lookup local 
20:    from all fwmark 0x7 lookup smtp 
21:    from W.W.W.W/NM lookup tun 
21:    from W.W.W.W/NM lookup vpn 
21:    from W.W.W.W/NM lookup lan 
29:    from 10.0.8.1 lookup tun 
29:    from 10.0.8.2 lookup tun 
41:    from X.X.X.X lookup sbc 
51:    from 10.1.9.0/27 lookup lan 
32766: from all lookup main 
32767: from all lookup default 

routing rules defined in /etc/iproute/rt_tables:
#
# reserved values
#
255    local
254    main
253    default
0  unspec
#
# local
#
1  inr.ruhep
20 lan
30 vpn
40 tun
50 sbc
100    smtp

script that sets up routing:

ip ro a default via 10.0.8.1 table tun pref 20
ip ru a from 10.0.8.1 lookup tun pref 29
ip ru a from 10.0.8.2 lookup tun pref 29

ip ro a default via Y.Y.Y.Y table sbc pref 40
ip ru a from X.X.X.X/32 lookup sbc pref 41

ip ro a default via W.W.W.Z table vpn pref 21
ip ru a from W.W.W.W/NM lookup tun pref 21
ip ru a from W.W.W.W/NM lookup vpn pref 21
ip ru a from W.W.W.W/NM lookup lan pref 21

ip ru a from 10.1.9.0/27 lookup lan pref 51

ip ru a fwmark 7 lookup smtp

route add -net W.W.W.W netmask M.A.S.K tun0


firewall rules:

*nat
:PREROUTING ACCEPT [48:2979]
:POSTROUTING ACCEPT [44:3015]
:OUTPUT ACCEPT [44:3015]
-A PREROUTING -s 10.1.9.0/255.255.255.224 -i eth1 -p
tcp -m tcp --dport 80 -j DNAT --to-destination
10.1.9.1:3128
-A POSTROUTING -s 10.1.9.0/255.255.255.224 -o ppp0 -j
SNAT --to-source Y.Y.Y.Y
COMMIT

*mangle
:PREROUTING ACCEPT [2942:265470]
:INPUT ACCEPT [2604:239332]
:FORWARD ACCEPT [338:26138]
:OUTPUT ACCEPT [2891:533173]
:POSTROUTING ACCEPT [3234:559411]
-A PREROUTING -p tcp -m tcp --dport 25 -j TOS
--set-tos 0x02
-A PREROUTING -p tcp -m tcp --dport 25 -j MARK
--set-mark 0x7
-A PREROUTING -p tcp -m tcp --dport 25 -j RETURN
-A INPUT -i ppp0 -p tcp --tcp-flags ALL FIN,URG,PSH -j
DROP
-A INPUT -i ppp0 -p tcp --tcp-flags ALL ALL -j DROP
-A INPUT -i ppp0 -p tcp --tcp-flags ALL
SYN,RST,ACK,FIN,URG -j DROP
-A INPUT -i ppp0 -p tcp --tcp-flags ALL NONE -j DROP
-A INPUT -i ppp0 -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP
-A INPUT -i ppp0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j
DROP
-A OUTPUT -p tcp -m tcp --dport 25 -j TOS --set-tos
Minimize-Cost
-A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark
0x7
COMMIT
*filter
:INPUT DROP [5:140]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2891:533173]
-A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT 
-A INPUT -m limit --limit 30/min -j LOG --log-prefix
"INPUT: " --log-level 7 
-A INPUT -m limit --limit 30/min -j LOG --log-prefix
"Default DROP - INPUT chain:" --log-level 5 
-A INPUT -d 192.168.0.0/255.255.0.0 -m limit --limit
30/min -j LOG --log-prefix "PPPoE DROP:" --log-level 5
-A INPUT -d 10.1.9.0/255.255.255.224 -m limit --limit
30/min -j LOG --log-prefix "LAN DROP - INPUT chain:"
--log-level 5 
-A INPUT -d W.W.W.W/M.A.S.K -m limit --limit 30/min -j
LOG --log-prefix "VPN DROP - INPUT chain:" --log-level
5 
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0
-i lo -p icmp -j ACCEPT 
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0
-i lo -p tcp -m tcp -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0
-i lo -p udp -m udp -j ACCEPT
-A INPUT -s 127.0.0.1/255.0.0.0 -d 127.0.0.1/255.0.0.0
-i lo -p tcp -m tcp -j ACCEPT
-A INPUT -s 127.0.0.1/255.0.0.0 -d 127.0.0.1/255.0.0.0
-i lo -p udp -m udp -j ACCEPT
-A INPUT -s 10.1.9.0/255.255.255.224 -i lo -j ACCEPT 
-A FORWARD -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j
LOG --log-prefix "IPT FORWARD packet died: "
--log-level 7
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
-A FORWARD -p icmp -m limit --limit 12/hour
--limit-burst 1 -m icmp --icmp-type 8 -j LOG
--log-prefix "ICMP flood: " --log-level 5
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN
-m limit --limit 12/hour --limit-burst 1 -j LOG
--log-prefix "SYN flood (Nmap SYN Scan?): "
--log-level 5
-A FORWARD -s 10.1.9.0/255.255.255.224 -i eth1 -o ppp0
-j ACCEPT
-A FORWARD -s W.W.W.W/M.A.S.K -i eth1 -o tun0 -j
ACCEPT
-A FORWARD -s W.W.W.W/M.A.S.K -i eth1 -o eth1 -j
ACCEPT
-A FORWARD -p 11 -j DROP
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu
COMMIT



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site!
http://smallbusiness.yahoo.com/resources/

More information about the netfilter mailing list