0

I want to setup a special SMTP environment: two different SMTP servers that should be transparently accessed from SMTP clients.

Let's say I have a RFC compliant Postfix running at 192.168.0.1:25 and a RFC ignoring server fooling clients at 192.168.0.1:2525.

Now I want the following. Most connections should be handled by Postfix as it is listening on the correct port. But with different iptables rules I currently REJECT/DROP connections due to RBL listings, abusive behavior or exceeding limits; just to reduce the load on the Postfix server. Now I no longer want to DROP them, but instead forward the connections to port 2525. The second server is to act as a tarpit and then defer/reject the mails.

I can't figure out how to forward connections depending on other iptables rules that are in the INPUT chain. There I use xt_recent and limit filters to dynamically decide between ACCEPT and DROP.

mailq
  • 17,023
  • 2
  • 37
  • 69

1 Answers1

1

assuming iptables runs on the same machine where both postfix and that other server are running, you need a nat rule with target REDIRECT:

iptables -t nat -A PREROUTING -p tcp -s [address_matching_rbl] --dport 25 -j REDIRECT --to-ports 2525

Also need filtering rule to permit connections to port 2525 in chain INPUT. This rule does not have to match RBL addresses.

Since you already use iptables to DROP connections from blacklisted hosts, you probably already have the list of addresses and have written iptables rules using it. You could use module ipset ( http://ipset.netfilter.org/ ) to make this matching work more efficiently and to be able to reload lists of addresses without reloading whole iptables configuration.

vadimk
  • 336
  • 2
  • 3
  • Using explicit rules is impossible as `[address_matching_rbl]` is fast flux. Even with ipset it is not possible to add and remove hundreds of addresses in short time. This is why I do it with xt_recent as I can add and remove IPs by "writing" to files under /proc/net/xt_recent. I'm talking about at least 500 connections per second. – mailq Apr 13 '11 at 16:33
  • 1
    you can use the same match using module recent controlled by /proc/net/xt_recent in the nat rule instead of "-s address" – vadimk Apr 14 '11 at 00:54
  • 1
    @mailq you *can* add/delete hundreds of rules to ipset very quickly. use `ipset --restore` and feed a text file containing ipset arguments. See the output of `ipset --save`, but use only `-A` and `-D` commands. Alternatively, use an IPset of type `iptree` and have another iptables rule do a `-j SET` to automatically add offending IP addresses to the IP set. – pepoluan Apr 14 '11 at 02:03