ipchains with multiple mail server IP addresses

ipchains with multiple mail server IP addresses

Post by Dan Raws » Thu, 22 Jul 1999 04:00:00

I'm running a firewall with a 2.2.6 kernel (slackware 4.0) and have IP
chains up and running for my small home network over the cable modem.
The only problem is with the pop3 mail.

My ISP (earthlink.net) has multiple mail servers aliased to
"mail.earthlink.net".  Successive calls to nslookup return different
INDIVIDUAL addresses.  In contrast, running nslookup on (for example)
www.altavista.com returns a list of addresses.

The ipchains rules look like:

ipchains -A input -i eth0 -p tcp ! -y -s $POP_SERVER 110 \
              -d $EXTERNAL_IP 1025:65525 -j ACCEPT
ipchains -A output  -i eth0 -p tcp -s $EXTERNAL_IP 1025:65535 \
              -d $POP_SERVER -j ACCEPT

If I hard-code one of the "mail.earthlink.net" addresses as
$POP_SERVER in the IPCHAINS setups and on ALL the clients, this works.
However, it seems contrary to the spirit of the whole system . . .

If I don't hard-code the address, the resolution of
"mail.earthlink.net" at run-time almost NEVER matches the one that
ipchains made at startup, so the packets are denied.

Any suggestions would be welcome . . . .

TIA . . .



ipchains with multiple mail server IP addresses

Post by Allen Won » Fri, 23 Jul 1999 04:00:00


    A simple and less secure option would be just to open port 110 to
all IP addresses.  Or, if the mail servers are all in the same family of
addresses you could use "-s 123.456.789.0/24".  Good luck!

Linux:  If you're not careful, you might actually learn something.


1. multiple IP address mail servers ipchains/iptables

Whenever my isp changes or adds an ip address to the list of mail
servers I cannot connect to the server.  In my rules I have put
'mail.myisp.com' as the smtp server and the pop3 server but
occassionally I still cannot connect to the e-mail server.  I believe
that they are adding/changing/round-robin the ip addresses for the
mail servers and the script is only picking up one of these addresses.
 Is there a way to get around this problem in ipchains and/or

Is the only solution, to run dig every once and awhile and make sure
that I have all of the latest ip addresses included in the filter,
instead of relying on 'mail.myisp.com' in the script?

How do other firewall systems get around this issue (Zone alarm,NIS

2. HELPME!!! I can't setup my minilinux

3. Mail server for multiple domain using a single IP address

4. Share cups printer to OS9.2 fails from appletalk (papd.conf problem?) and LPR.

5. Changing IP address on Solaris 9 with multiple virtual IP addresses

6. ssh3 seg faults

7. ipchains and multiple trusted ip addresses

8. APIC is not properly suspending in 2.5.67 on UP

9. TCP binding on a server with multiple IP address

10. multiple NICs, multiple IP addresses?

11. HELP: UDP-server and multiple IP-addresses

12. DNS servers and multiple IP addresses

13. Multiple IP Addresses - One Server