Two different IP for one mx

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Two different IP for one mx

Karol Augustin
On 2018-01-30 15:59, Bill Shirley wrote:

>
> In an earlier post:
> Becouse I prefer to use fail2ban for brute force attacks and fail2ban depends source IP address.In this setup I can't see source IP. Also I'll use iptables as a permanent filter for some IPv4 blocks (like china).  
>
> He needs to see the real public addresses of those who connect to this new server.

Of course, but what I meant is that the reason he doesn't, and he
definitely has to, is because the upstream configuration is broken, not
because he has private address assigned to the NIC. You can have private
address assigned to the NIC and be perfectly capable of seeing original
source address. This is how it should be configured.

Karol




--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: Two different IP for one mx

jin&hitman&Barracuda
In reply to this post by Bill Shirley


On 30 Jan 2018 7:00 p.m., "Bill Shirley" <[hidden email]> wrote:
On 1/30/2018 9:15 AM, Karol Augustin wrote:
From the information you provided it looks like problem is not fixable by you. It's ok to have private address configured on your server if it is properly translated upstream. Amazon does that. You have private IP configured on your machine but it is translated to the same public address for both incoming and outgoing connections. Talk to your ISP about this.


Karol



--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
<a href="tel:+353%2085%20775%205312" value="+353857755312" target="_blank">+353 85 775 5312

In an earlier post:
Becouse I prefer to use fail2ban for brute force attacks and fail2ban depends source IP address.In this setup I can't see source IP. Also I'll use iptables as a permanent filter for some IPv4 blocks (like china).  

He needs to see the real public addresses of those who connect to this new server.


You said this machine has address 192.168.34.30/24.  Who gave it this address?

Bill

ISP has a OS deployment team. They prepare this machine for us. I do not have much choice becouse our company outsourced some jobs (like os installations and network definitions) and this is the one of them. You wrote specs and they prepare for you.
Reply | Threaded
Open this post in threaded view
|

Re: Two different IP for one mx

Bill Cole-3
In reply to this post by jin&hitman&Barracuda
On 30 Jan 2018, at 6:07 (-0500), jin&hitman&Barracuda wrote:

> Yes I saw connections coming
> from 172.27.203.20 and it was me.
> I believe this setup is not fit mail servers.

Absolutely true. 3 widespread ISP tactics that make a network unfit for
an Internet-facing MTA:

1. DNS hijacking
2. Firewall or router-based (usually Cisco ASA/PIX) mangling of SMTP
3. Source NAT for inbound traffic

All 3 are often presented as part of "network security" packages but
they are each lethal for a mail server.

> Becouse I prefer to use
> fail2ban for brute force attacks and fail2ban depends source IP
> address.
> In this setup I can't see source IP. Also I'll use iptables as a
> permanent
> filter for some IPv4 blocks (like china).
>
>
> Can anyone tell me that this setup has any benefit ?

No.

Inbound source NAT is the most widespread network tactic that I know of
which has no discernible benefit to the downstream user directly or
indirectly. As far as I can tell, it is entirely a side effect of
network gear manufacturers and network operators being lazy in
implementation.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Two different IP for one mx

jin&hitman&Barracuda
Ok, I already started a discussion with ISP and they obviously have no idea what they doing. However, they did not provide any effort to fix this setup. I'm still waiting. May be it is the time to find a proper ISP and replace with it. 

2018-01-31 17:00 GMT+03:00 Bill Cole <[hidden email]>:
On 30 Jan 2018, at 6:07 (-0500), jin&hitman&Barracuda wrote:

Yes I saw connections coming
from 172.27.203.20 and it was me.
I believe this setup is not fit mail servers.

Absolutely true. 3 widespread ISP tactics that make a network unfit for an Internet-facing MTA:

1. DNS hijacking
2. Firewall or router-based (usually Cisco ASA/PIX) mangling of SMTP
3. Source NAT for inbound traffic

All 3 are often presented as part of "network security" packages but they are each lethal for a mail server.

Becouse I prefer to use
fail2ban for brute force attacks and fail2ban depends source IP address.
In this setup I can't see source IP. Also I'll use iptables as a permanent
filter for some IPv4 blocks (like china).


Can anyone tell me that this setup has any benefit ?

No.

Inbound source NAT is the most widespread network tactic that I know of which has no discernible benefit to the downstream user directly or indirectly. As far as I can tell, it is entirely a side effect of network gear manufacturers and network operators being lazy in implementation.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole



--
There is no place like "/home"
From HemiB A R R A C U D A !
12