|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
spoofing with iptables
I'm trying to do some tricky spoofing using iptables and have had some issues. I have a /27 subnet populated by a dozen or so servers and I want outbound mail from one machine on my subnet to appear to originate from another machine on the same subnet. I've been trying to craft a rule something like
iptables -t nat -A POSTROUTING -o eth0 -s $SRCHOST -p tcp --dport 25 -j SNAT --to xxx.xxx.xxx.220 where $SRCHOST has the IP xxx.xxx.xxx.216. I'm trying to accomplish this because I'm working with a company that assists in email delivery and they want to associate all mail sent for a domain with a single IP address. Since my web and mail servers are separate and I don't want to add to the load by adding a relay I wanted to try and use iptables to spoof the webserver IP. Am I barking up the wrong tree? |
|
|||
Cannot you use the rewriting capabilities of your mailer?
For postfix for example, this is discussed at http://www.postfix.org/ADDRESS_REWRITING_README.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
While I've used the postfix rewrite capability to rewrite a domain name I've never used those functions to spoof the sending mail server's IP address. I'm not sure that's even possible.
I have mail leaving a server at 10.254.0.1 and I need it to appear to come from 10.254.0.2 when I examine the headers. To the best of my knowledge this can't be done with address rewriting, but I'm open to suggestions. |
|
|||
Maybe a little more information would be useful:
I have 3 mailservers behind a firewall running iptables. Each mailserver has it's own private 10.254.0.x IP address and currently all outbound mail appears to come from the public IP of the firewall which I'll call xxx.xxx.xxx.210. This firewall also has the internal IP 10.254.0.1 which is the default gateway for each mailserver. Each mailserver also has an interface on the public network, but their default gateway is the internal address of the firewall. What I had wanted to do was use iptables to spoof the IP of each mailserver's public IP for outgoing mail. What I am slowly coming to understand is that this shouldn't be possible. I don't think iptables will allow you to spoof IPs that are already in use and not assigned to the current firewall. Is the solution to assign 3 new public IPs to the firewall as aliases and then use iptables to spoof outbound mail from each server statically mapped to each of those newly assigned alias IPs? |
|
|||
These particular machines actually need their public interfaces, but I agree that I'll have to assign additional public IPs as aliases on the firewall and use static NAT to associate outbound mail with those interfaces. I was hoping to avoid using additional IPs in this /27, but it's looking unavoidable.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
first match vs last match ruleset design (pf vs iptables) | zelut | FreeBSD Security | 5 | 12th July 2009 08:13 AM |
iptables fw redundancy | revzalot | Other BSD and UNIX/UNIX-like | 3 | 17th June 2008 04:51 PM |