*SPAM* Re: [lug] forcing certain services to use eth1 instead of eth0
Michael Belanger
mrb at ciclops.org
Wed Jan 4 15:20:28 MST 2006
On Wednesday 04 January 2006 12:38, Zan Lynx wrote:
> On Wed, 2006-01-04 at 11:51 -0700, Michael Belanger wrote:
> [snip]
>
> > (Fedora Core 2): If no GATEWAY is defined in the /etc/sysconfig/network,
> > but IS defined in network-scripts/ifcfg-eth0 and 1, it seems to use
> > eth1's setting as the default gateway. I manually altered the default
> > gateway to be on eth0 and eth0's gateway, but this seems to have caused
> > traffic routing to eth1 to be responding with eth0 for sending mail with
> > SMTP.
>
> Why did you define a default gateway in both devices? Put it in eth0
> and only eth0. Should work.
Ah.. that makes sense.. The eth1 overrides the eth0 setting.
There can be only one.
So.. here is the final setup.. for posterity:
sendmail.mc (to force sendmail to send as a specific ip)
DAEMON_OPTIONS(`Port=smtp,Address=10.2.0.4, Name=MTA')dnl
CLIENT_OPTIONS(`Family=inet,Address=10.2.0.4')dnl
Created the following iptables rules and saved them with 'service iptables
save':
# service iptables start
# iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark 2
# iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 143 -j MARK --set-mark 2
# iptables -t mangle -A OUTPUT -p tcp -m tcp --sport 993 -j MARK --set-mark 2
# service iptables save
Resulting iptables file:
/etc/sysconfig/iptables:
*mangle
:PREROUTING ACCEPT [224:16700]
:INPUT ACCEPT [224:16700]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [132:12758]
:POSTROUTING ACCEPT [132:12758]
-A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --sport 143 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --sport 993 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --dport 25 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --dport 143 -j MARK --set-mark 0x2
-A OUTPUT -p tcp -m tcp --dport 993 -j MARK --set-mark 0x2
# I included the dport as well.. My thinking (with iptables, it is usually
# wrong) is that sendmail is sending mail out to the dport.. I put imap ports
# in there for no good reason.
Routes:
[root at porbeagle mail]# ip route show
10.2.0.0/24 dev eth1 proto kernel scope link src 10.2.0.4
10.1.0.0/24 dev eth0 proto kernel scope link src 10.1.0.2
169.254.0.0/16 dev eth1 scope link
default via 10.1.0.1 dev eth0
[root at porbeagle mail]# ip rule show
0: from all lookup local
400: from all fwmark 0x2 lookup 2
500: from 10.1.0.2 lookup 1
600: from 10.2.0.4 lookup 1
32766: from all lookup main
32767: from all lookup default
Commands used:
from: http://www.linuxjournal.com/article/7291 and suggestions:
# ip route add default via 10.1.0.1 dev eth0 tab 1
# ip route add default via 10.2.0.1 dev eth1 tab 2
# ip rule add from 10.1.0.2/32 tab 1 priority 500
# ip rule add from 10.2.0.4/32 tab 2 priority 600
# ip rule add fwmark 2 table 2 priority 400
# ip route flush cache
This was truly a pain. sendmail was caught spoofing as the 10.2 address
because I think the route rules listed here had originally set the priority
of the fwmark line as 32765. My fault -- because of the order of commands I
did. Apparently sendmail uses the routing table exclusively regardless of
what is set in your CLIENT_OPTIONS.
My final question.. Where do I put the route commands and rules so they are
reloaded on reboot? I had noticed that my previous entries were cleared when
I rebooted earlier.
/etc/init.d/network? iptables?
Thanks
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20060104/8203b141/attachment.pgp>
More information about the LUG
mailing list