Spam and iptables

From: Tomasz Popik (popikt@yahoo.com)
Date: 01/31/03


Date: Fri, 31 Jan 2003 09:26:22 -0800 (PST)
From: Tomasz Popik <popikt@yahoo.com>
To: security-discuss@linuxsecurity.com


> Unless, you configure things so that the box running sendmail sees the
> clients address you're going to have difficulties.

Yes, you are 100% right, configuring sendmail without see real IP address is a bit complicated.
But i have no other way, because my whole network have many servers and onyl one IP. My politics
is to not run any servers on firewall box. So the solution you wrout to me to intall sendmail on
this box is not good for me. But is easyest for do.

I think i can try to encalupsate IP packets. My idea is to encapsulate all IP trafic incoming to
firewall into other protocol. Lets take samba. Then send it to sendmail box, decapsulate, examine
real IP addres, take decission, and replay the same way.

>
> The way I think you want it to run is that any connection from your local
> subnet 192.168.0.0 is allowed to relay but any connection from outside isn't.
> Further to that, all connections come via your firewall and have a source
> address of 192.168.0.2 (the firewall). Is that correct?

Yes, Paul you are right. Of course firewall box, have two ethernet cards.

>
> You really need to configure your firewall so that it doens't rewrite the
> source address of external connections. That will solve your problem. If you
> can't do that, try running a mail relay on your firewall. This box will be
> able to see the client address and can choose to relay based on that. ie. if
> it's from the local LAN, allow relays. If it's external, only allow relaying
> if the destination is your mail server (or an alias for it).

NO! I cant do it base to fundamental rules of TCP/IP protocol. I will explain it. Let have
external box 'A', firewall 'B', and sendmail box 'C'. Now if A send IP packet to B is have src=A
dst=B, now B receive this packet and change it to src=B dst=C. IF (as you want to) B would not
change this and leave it as src=A dst=C, then packet will arrive to C, but never will be send back
to A, because sequnce number of TCPIP protocol is different in B and C, and simply A will reject
packets form C, due to Man-In-Middle-Attack rules. So in this configuration must be like is.
Secont, will not be received because of C is private IP, and for third, B will not pass throuw
packets from C to A. Read the SNAT and DNAT rules of IPTABLES again. :)

> This way, connections from the internal LAN don't even need to be sent to the
> mail server. The mail relay on your firewall can handle where to send the
> mail and you'll reduce the load on the mail server, and most probably on the
> firewall too.
>

There is another way. It is highly tricky. Make on firewall rules that alter TCPIP flag of that
packet which is allowed to go to sendmail. Now sendmail box will have iptables rule located in
PREROUTE and simpy DROP all packets without flag altered.

> Hope that helps a bit.
>
> Paul.
>

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.