DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th October 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default spoofing with iptables

I'm trying to do some tricky spoofing using iptables and have had some issues. I have a /27 subnet populated by a dozen or so servers and I want outbound mail from one machine on my subnet to appear to originate from another machine on the same subnet. I've been trying to craft a rule something like

iptables -t nat -A POSTROUTING -o eth0 -s $SRCHOST -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.220

where $SRCHOST has the IP xxx.xxx.xxx.216.

I'm trying to accomplish this because I'm working with a company that assists in email delivery and they want to associate all mail sent for a domain with a single IP address. Since my web and mail servers are separate and I don't want to add to the load by adding a relay I wanted to try and use iptables to spoof the webserver IP.

Am I barking up the wrong tree?
Reply With Quote
  #2   (View Single Post)  
Old 29th October 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

Cannot you use the rewriting capabilities of your mailer?

For postfix for example, this is discussed at http://www.postfix.org/ADDRESS_REWRITING_README.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 29th October 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default

While I've used the postfix rewrite capability to rewrite a domain name I've never used those functions to spoof the sending mail server's IP address. I'm not sure that's even possible.

I have mail leaving a server at 10.254.0.1 and I need it to appear to come from 10.254.0.2 when I examine the headers. To the best of my knowledge this can't be done with address rewriting, but I'm open to suggestions.
Reply With Quote
  #4   (View Single Post)  
Old 29th October 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default

Maybe a little more information would be useful:

I have 3 mailservers behind a firewall running iptables. Each mailserver has it's own private 10.254.0.x IP address and currently all outbound mail appears to come from the public IP of the firewall which I'll call xxx.xxx.xxx.210. This firewall also has the internal IP 10.254.0.1 which is the default gateway for each mailserver. Each mailserver also has an interface on the public network, but their default gateway is the internal address of the firewall.

What I had wanted to do was use iptables to spoof the IP of each mailserver's public IP for outgoing mail. What I am slowly coming to understand is that this shouldn't be possible. I don't think iptables will allow you to spoof IPs that are already in use and not assigned to the current firewall.

Is the solution to assign 3 new public IPs to the firewall as aliases and then use iptables to spoof outbound mail from each server statically mapped to each of those newly assigned alias IPs?
Reply With Quote
  #5   (View Single Post)  
Old 29th October 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

You have the servers behind the firewall, on a private network, but they also have public IPs assigned to the interfaces on the servers?

You need to remove the public IPs from the servers. They should only have private IPs assigned to their interfaces. The public IPs should be set on the firewall. And you should have firewall rules that do 1-to-1 NAT between the public IP and the private IP.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #6   (View Single Post)  
Old 29th October 2008
dk_netsvil dk_netsvil is offline
Real Name: Devon
Fdisk Soldier
 
Join Date: May 2008
Location: New York
Posts: 75
Default

These particular machines actually need their public interfaces, but I agree that I'll have to assign additional public IPs as aliases on the firewall and use static NAT to associate outbound mail with those interfaces. I was hoping to avoid using additional IPs in this /27, but it's looking unavoidable.
Reply With Quote
  #7   (View Single Post)  
Old 29th October 2008
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Yeah, you can't have two systems on the same network using the same IP(s). At least not easily. Just think about how the return packets will know where to go.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
first match vs last match ruleset design (pf vs iptables) zelut FreeBSD Security 5 12th July 2009 08:13 AM
iptables fw redundancy revzalot Other BSD and UNIX/UNIX-like 3 17th June 2008 04:51 PM


All times are GMT. The time now is 03:50 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick