proxy-helper
proxy-helper for smtp-proxy, part of software.klolik.org
[about]
[scenarios]
[todo]
[downloads]
[security]
[details]
[example]
About
smtp-gated is able to run in split mode (on separate server, other than NAT router). proxy-helper gives the proxy information about source and destination IPs of NAT connections.
[back to top]
Scenarios
Possible scenarios:
| smtp-gated instance(s) | NAT router(s) | high availability and/or high performance | proxy-helper required |
|---|
| one | no | no |
| one | one | no | yes |
| one | many | no | yes |
| many | one | yes | yes |
| many | many | yes | yes |
| Using policy routing on any (software or hardware) router combined with smtp-gated running NAT |
|---|
| many | any | yes | no |
For many smtp-gated instances you can setup pool of HA proxies.
[back to top]
TODO
- support for others OS than Linux
[back to top]
Downloads
Sources released under GNU License.
If you use this software, please send me an e-mail with comment. Thanks.
Latest version:
[2010.02.12] proxy-helper-1.0.2.tar.gz
[back to top]
Security
You need to firewall UDP port where proxy-helper is listening. Otherwise, it's possible
to reveal details about your internal networks to outside world.
There is no need to smtp-gated and proxy-helper to be on public IPs, or even in the same
network segment.
You need to remember, that smtp-gated "calls back" to anyone on the same IP as the
incoming connection from NAT. It's dangerous, unless it's correctly firewalled.
Check it twise or spammer will get (bad) use of your resources.
[back to top]
Details
How does it work?
- router receives connection from 10.1.1.1:10943 (user) to 4.1.1.1:25 (SMTP server)
- router makes SNAT from 194.0.1.1:20119 (user-public-IP) and DNAT to 194.0.22.9:9199 (smtp-gated)
- smtp-gated receives connection but doesn't know anything about 4.1.1.1:25, this is why it needs assistance
- smtp-gated prepares IP:PORT for lookup: takes incoming IP (194.0.1.1) and adds remote_port (default is 114)
- smtp-gated asks 194.0.1.1:114 (proxy-helper) for connection from 194.0.1.1:20119 to 194.0.22.9:9199
- proxy-helper looks up connection in netfilter conntrack, and finds connection was from 10.1.1.1:10943 to 4.1.1.1:25
- proxy-helper replies to smtp-gated: connection was from 10.1.1.1:10943 to 4.1.1.1:25
- smtp-gated uses 10.1.1.1:10943 for logging purposes, and 4.1.1.1:25 as destination address
- smtp-gated connects to 4.1.1.1:25 and does it's usual job
[back to top]
Example
Setup the example above:
# You must give some useful IP to proxy-helper, 0.0.0.0 will not work.
proxy-helper -I 194.0.1.1 -p /var/run/proxy-helper.pid"
# Remember to do SNAT all connections to smtp-gated thru the IP the helper is listening on.
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 194.0.22.9:9199
iptables -t nat -A POSTROUTING -p tcp -d 194.0.22.9 --dport 9199 -j SNAT --to 194.0.1.1
Change following in smtp-gated.conf:
mode remote-udp
remote_port 114
remote_udp_retries 3
[back to top]
(c) 2005-2008 Bartłomiej Korupczyński
