Re: Pb : Routing with multiples interfaces

To: Frédéric Massot <frederic@juliana-multimedia.com>
Cc: debian-firewall@lists.debian.org
Subject: Re: Pb : Routing with multiples interfaces
From: Hans van Kranenburg <od251@xs4all.nl>
Date: Tue, 12 Sep 2006 12:52:30 +0200
Message-id: <[🔎] 4506916E.4040007@xs4all.nl>
In-reply-to: <[🔎] 45068546.9040709@juliana-multimedia.com>
References: <[🔎] 450198AA.9070809@juliana-multimedia.com> <[🔎] 4501B1ED.5090509@xs4all.nl> <[🔎] 45057D91.9090707@juliana-multimedia.com> <[🔎] 45059A87.1000904@xs4all.nl> <[🔎] 45068546.9040709@juliana-multimedia.com>

Frédéric Massot wrote:
> Hans van Kranenburg wrote:
>> Frédéric Massot wrote:
>>
> [...]
>>
>>> Thes Linux Box receives the internal mail on its internal interface.
>>> Postfix/Amavis/Clamav/Spamassassin check this mail and sends it on the
>>> LL interface ($INTERFACE_LL - $IP_LL).
>>
>> Why don't you use the -o smtp_bind_address option in Postfix? Much less
>> complex setup... When Postfix chooses to bind to a specific outgoing
>> address the routing tables will follow that and choose the right
>> interface according to it.
>>
> 
> This Linux Box receives the internal mail on its LAN interface and sends
> it on the LL interface. And it receives the external mail on these 3
> external interfaces (DSL1, DSL2, LL) and sends it on the LAN interface.
> I think that I cannot bind the smtp daemon on LL interface.

Incorrect. The smtp daemon (listens on 25, receives mail) and the smtp
client process (connects to port 25 and sends mail) are different things.

Configuring on what interfaces mail is received:
http://www.postfix.org/postconf.5.html#inet_interfaces

Configuring what interface/source address is used for sending mail:
http://www.postfix.org/postconf.5.html#smtp_bind_address

>>> I use these rules to mark the paquets :
>>>
>>> iptables -t mangle -A OUTPUT -o $INTERFACE_DSL1 -p tcp --dport 25 -j
>>> MARK --set-mark 0x25
>>> iptables -t mangle -A OUTPUT -o $INTERFACE_DSL2 -p tcp --dport 25 -j
>>> MARK --set-mark 0x25
>>> iptables -t mangle -A OUTPUT -o $INTERFACE_LL -p tcp --dport 25 -j MARK
>>> --set-mark 0x25
>>
>>
>> I don't think this is correct, but i'm not really sure. I guess it's
>> more appropriate to filter using the destination IP than using outgoing
>> interface names, because we don't know the -o interface yet here...
>>
> [...]
>>
>> So probably using the destination IP for deciding which packets to mark
>> sounds like a better idea:
>>
>> iptables -t mangle -A OUTPUT -o ! in.ter.nal/msk -p tcp --dport 25 -j
>> MARK --set-mark 0x25
>>
> 
> Ok, with the new routing table and the new mark rule, it seems that the
> routing is more correct. :o)
> 
> ip rule add prio 103 fwmark 0x25 table 204
> ip route add default via $GATEWAY_LL dev $INTERFACE_LL proto static
> table 204
> 
> iptables -t mangle -A OUTPUT -d ! $INTERNAL_LAN -p tcp --dport 25 -j
> MARK --set-mark 0x25
> 
> 
> 
> Thank you for your answers.

\o/

Hans

Reply to:

References:
- Pb : Routing with multiples interfaces
  - From: Frédéric Massot <frederic@juliana-multimedia.com>
- Re: Pb : Routing with multiples interfaces
  - From: Hans van Kranenburg <od251@xs4all.nl>
- Re: Pb : Routing with multiples interfaces
  - From: Frédéric Massot <frederic@juliana-multimedia.com>
- Re: Pb : Routing with multiples interfaces
  - From: Hans van Kranenburg <od251@xs4all.nl>
- Re: Pb : Routing with multiples interfaces
  - From: Frédéric Massot <frederic@juliana-multimedia.com>

Prev by Date: Re: Pb : Routing with multiples interfaces
Next by Date: Re: Pb : Routing with multiples interfaces
Previous by thread: Re: Pb : Routing with multiples interfaces
Next by thread: Re: Pb : Routing with multiples interfaces
Index(es):
- Date
- Thread