How to make a mutli-homed host use one IP for a NAT'ed host

Greg Cope gregcope at gmail.com
Thu Apr 21 16:18:03 CEST 2005


Hi all,

Hum... not quite working for me yet, nearlt there but I get the error:

"MARK: can only be called from "mangle" table, not "nat""

So I used:

iptables -A PREROUTING -i eth0 -t mangle -s $DMZ_HOST_IP -p tcp
--dport 25 -j MARK --set-mark 2

Q: Is eth0 correct as this is the red/ INET IFACE and not the DMZ dev
IFACE (that would be eth1)

And then:

ip route add table $IPROUTE2_SMTP_TABLE dev $INET_IFACE src $MAIL_INET_ALIAS
ip route add table $IPROUTE2_SMTP_TABLE default via $INET_IP
ip rule add fwmark $SMTP_MARK table $IPROUTE2_SMTP_TABLE

Where $SMTP_MARK=2 and IPROUTE2_SMTP_TABLE=smtp.out

I have "echo 25 smtp.out >> /etc/iproute2/rt_tables"

Packets still come from the "wrong" ip address

Any suggestions.

Thanks.

Greg

On 4/21/05, Greg Cope <gregcope at gmail.com> wrote:
> Wow - Thanks!
> 
> Your synopsis is correct.
> 
> Here is my spin on your excellent advice:
> 
> I've assumed that SMTP_MARK is just an integer label
> SMTP_MARK=999
> 
> $IPTABLES -t nat -A OUTPUT -s $DMZ_MAIL_IP -p tcp --sport 25 -j MARK
> --set-mark $SMTP_MARK
> 
> Quick question - this marks only packets from the DMZ_MAIL_IP that use
> TCP and are from sport 25, whereas my mailserver picks high ports to
> connect to exterior SMTP servers, so I might change this to:
> 
> $IPTABLES -t nat -A OUTPUT -s $DMZ_MAIL_IP -p tcp --dport 25 -j MARK
> --set-mark $SMTP_MARK
> 
> Ie if dest port (ie SMTP server) get marked
> 
> ip route add table $IPRoute2_SMTP_Table dev $MAIL_INET_ALIAS_IFACE src
> $MAIL_INET_ALIAS
> ip route add table $IPRoute2_SMTP_Table default via $INET_IP
> ip rule add fwmark $SMTP_MARK table $IPRoute2_SMTP_Table
> 
> Can you elaborate on $IPRoute2_SMTP_Table - I assume I need to add a
> line to /etc/iproute2/rt_tables like:
> 
> 250     smtp
> 
> Any good concise how to's on this?
> 
> Again many thanks for the excellent and prompt reply!
> 
> Greg
> 
> On 4/21/05, Taylor Grant <gtaylor at riverviewtech.net> wrote:
> > Greg, if I understand you correctly you have a system that is multi homed with one of it's IP addresses being port forwarded to a DMZ server?  What happens is that your DMZ server replies back to your router / firewall which then in turn send the traffic out it's default route with a source IP of something other than what you want your SMTP traffic to use?  If this is the case you need to so a few tings to get your traffic to go out the interface that you want with the IP that you want.
> >
> > For starters you will need to use IPTables to mark the traffic that is coming in to your router / firewall from the DMZ mail server.
> > Second you will need to create a new routeing table for this traffic via something like the following:
> >
> > iptables -t nat -A OUTPUT -s $DMZ_Server_IP -p tcp --sport 25 -j MARK --set-mark $SMTP_Mark
> > ip route add table $IPRoute2_SMTP_Table dev $DEV_of_SMTP_network_interface_or_alias src $IP_of_DEV_of_SMTP_network_interface_or_alias
> > ip route add table $IPRoute2_SMTP_Table default via $Default_INet_Gateway
> > ip rule add fwmark $SMTP_Mark table $IPRoute2_SMTP_Table
> >
> > Where:
> > $DMZ_Server_IP is the internal LAN ip of your SMTP server in the DMZ.
> > $SMTP_Mark is the value you want to use to mark the packets that need to use the alternant route.
> > $IPRoute2_SMTP_Table is the name as it appears in /etc/iproute2/rt_tables or the number of the table that you want to use.
> > $DEV_of_SMTP_network_interface_or_alias is the device name or alias of your network interface that you want all SMTP traffic to use.
> > $IP_of_DEV_of_SMTP_network_interface_or_alias is the IP address of the device name or alias of your network interface that you want all SMTP traffic to use.
> > $Default_INet_Gateway is the IP address of your internet gateway.
> >
> > This should cause any SMPT traffic (source port 25 from the SMTP server) to go out a different interface / alias and thus use a different source IP when the traffic is sent out to the world.  If you have any questions or need more help let me know and I'll see what I can do.
> >
> >
> > Greg Cope wrote:
> > > Hi All,
> > >
> > > I have a mutli-homed router/firewall.
> > >
> > > One IP address is the default router gateway address
> > >
> > > Three other (virtual) IP's are for applications (one of which is SMTP).
> > >
> > > My mailserver is on a NAT'ed DMZ.
> > >
> > > However when it sends mail the router uses the default gateway address
> > > as opposed to the SMTP IP address.
> > >
> > > This upsets reverse DNS lookups as it now appears to come from the
> > > router as opposed to the mail IP (that has the correct reverse IP
> > > address lookup).
> > >
> > > Any ideas?
> > >
> > > Greg
> >
>



More information about the netfilter mailing list