multiple IP address mail servers ipchains/iptables

multiple IP address mail servers ipchains/iptables

Post by Jim Patters » Sun, 06 Apr 2003 03:25:17



Whenever my isp changes or adds an ip address to the list of mail
servers I cannot connect to the server.  In my rules I have put
'mail.myisp.com' as the smtp server and the pop3 server but
occassionally I still cannot connect to the e-mail server.  I believe
that they are adding/changing/round-robin the ip addresses for the
mail servers and the script is only picking up one of these addresses.
 Is there a way to get around this problem in ipchains and/or
iptables?

Is the only solution, to run dig every once and awhile and make sure
that I have all of the latest ip addresses included in the filter,
instead of relying on 'mail.myisp.com' in the script?

How do other firewall systems get around this issue (Zone alarm,NIS
2003)?

 
 
 

multiple IP address mail servers ipchains/iptables

Post by Joe » Sun, 06 Apr 2003 05:21:45




Quote:>Whenever my isp changes or adds an ip address to the list of mail
>servers I cannot connect to the server.  In my rules I have put
>'mail.myisp.com' as the smtp server and the pop3 server but
>occassionally I still cannot connect to the e-mail server.  I believe
>that they are adding/changing/round-robin the ip addresses for the
>mail servers and the script is only picking up one of these addresses.
> Is there a way to get around this problem in ipchains and/or
>iptables?

>Is the only solution, to run dig every once and awhile and make sure
>that I have all of the latest ip addresses included in the filter,
>instead of relying on 'mail.myisp.com' in the script?

>How do other firewall systems get around this issue (Zone alarm,NIS
>2003)?

ZoneAlarm distinguishes between "Internet" and "Trusted" remote
computers. That's it, nothing finer. You can add hosts to the "Trusted"
group by name or IP, if you trust an (alleged) Internet host that far. I
don't know if the "Pro" is any different.

AtGuard (obsolete, but it seems to work. Possibly now Norton?) uses host
names, IPs, or ranges. Another Windows personal firewall I tried
(possibly Tiny, now Kerio?) did need IPs, and I ended up setting a /26
block for my ISP's news server, which is fairly distributed. I take it
your mail servers aren't in a nice tidy /nn block?

I'd have thought if anyone was prepared to go to the lengths of
poisoning your ISP's DNS to get at you, they'd find it easier to spoof
their IP.
--
Joe

 
 
 

multiple IP address mail servers ipchains/iptables

Post by /dev/nul » Sun, 06 Apr 2003 10:01:46


Quote:> I'd have thought if anyone was prepared to go to the lengths of
> poisoning your ISP's DNS to get at you, they'd find it easier to spoof
> their IP.

but with the spoof they don't get any packets back, they get routed to the
spoofed address' location.  With a poisoned DNS you get the victim to
connect directly to you...

Also his concept of using DNS to look up the name, then setting it in tables
(either by name or resulting IP) makes him vulnerable to poisoned DNS so I'm
not really sure how your response fits in...

 
 
 

1. ipchains with multiple mail server IP addresses

I'm running a firewall with a 2.2.6 kernel (slackware 4.0) and have IP
chains up and running for my small home network over the cable modem.
The only problem is with the pop3 mail.

My ISP (earthlink.net) has multiple mail servers aliased to
"mail.earthlink.net".  Successive calls to nslookup return different
INDIVIDUAL addresses.  In contrast, running nslookup on (for example)
www.altavista.com returns a list of addresses.

The ipchains rules look like:

ipchains -A input -i eth0 -p tcp ! -y -s $POP_SERVER 110 \
              -d $EXTERNAL_IP 1025:65525 -j ACCEPT
ipchains -A output  -i eth0 -p tcp -s $EXTERNAL_IP 1025:65535 \
              -d $POP_SERVER -j ACCEPT

If I hard-code one of the "mail.earthlink.net" addresses as
$POP_SERVER in the IPCHAINS setups and on ALL the clients, this works.
However, it seems contrary to the spirit of the whole system . . .
.<g>

If I don't hard-code the address, the resolution of
"mail.earthlink.net" at run-time almost NEVER matches the one that
ipchains made at startup, so the packets are denied.

Any suggestions would be welcome . . . .

TIA . . .

Dan

2. Kernel settings

3. Mail server for multiple domain using a single IP address

4. the i740, svga, and resolution problems

5. Changing IP address on Solaris 9 with multiple virtual IP addresses

6. Localhost in DNS

7. iptables and multiple ip-addresses?

8. Lock Oracle 8.1.6 SGA in memory in AIX 4.3.3

9. ipchains and multiple trusted ip addresses

10. TCP binding on a server with multiple IP address

11. multiple NICs, multiple IP addresses?

12. HELP: UDP-server and multiple IP-addresses

13. DNS servers and multiple IP addresses