How to setup Iptables firewall for outgoing IP rotation
OBJECTIVE
The objective of this tutorial is to enable outgoing IP rotation. One of the common use cases of IP rotation is setting up mass mailing server. I am assuming we have already setup the SMTP (MTA) server here listening on all interfaces.
GETTING STARTED
We are going to setup iptables here
Steps:
1. Assign multiple IP addresses to the server as aliases on your physical network card say eth0. Network configuration files can be found in /etc/sysconfig/network-scripts/
[[email protected] /]# cp ifcfg-eth0 ifcfg-eth0:0
DEVICE=”eth0:0″
BOOTPROTO=”static”
IPADDR=”x.x.x.x”
NETMASK=”255.255.255.224″
NM_CONTROLLED=”no”
ONBOOT=”yes”
TYPE=”Ethernet”
Similarly keep creating aliases :1, :2 & so on for as many IP addresses you may have.
2. Next is to check IP address is up & bind to the alias
[[email protected] /]# ifup eth0:0
[[email protected] /]# ifconfig
eth0:0 Link encap:Ethernet HWaddr 00:22:19:54:93:21
inet addr:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
IP should be visible there
3. Now our next step is to check whether iptables supports the statistic module or not. This module can be checked by following command:
[[email protected] /]# iptables -m statistic -h
If the output is something like:
iptables v1.4.7
Usage: iptables -[AD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
…………
Then your iptables support this module
4. Now its time to setup the rules in iptables. Changing outgoing IP addresses is a part of Source Network Address Translation so we will be putting these rules with NAT chain of iptables
[[email protected] /]# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 5 -j SNAT –to-source x.x.x.x
[[email protected] /]# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 5 -j SNAT –to-source y.y.y.y
[[email protected] /]# iptables -t nat -I POSTROUTING -m state –state NEW -p tcp –dport 25 -o eth0 -m statistic –mode nth –every 5 -j SNAT –to-source z.z.z.z
5. Save the firewall rules & set the firewall to start on system boot
[[email protected] /]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[[email protected] /]# chkconfig iptables on
6. Now try sending some mails & check their headers. You will see different IP addresses in each mail header.