> Florian Effenberger <floeff@xxxxxxxxx> wrote: > > my default network policy is to block all outgoing traffic and > > only allow certain packets to pass. For some users, I'd like to > > open up Google Mail (imap.gmail.com:993 and smtp.gmail.com:587). > > However, Google's DNS give randomly out different IPs per query. > > Sadly, they are not all located within a subnet, but vary in all > > parts of the address. > > > > If I want to have destination host based rules, how can I do this > > with iptables? My current idea is to run a cron job every few > > minutes to add the rules again with the changed IPs, but this > > sounds like an ugly workaround, and will clutter my user-defined > > chain heavily. > > > > Is there any other approach, other than opening up all traffic to > > 993 and 587? I would suggest that you ask them, not us. They can tell you what netblocks to allow, if they are so inclined. On Tue, Jun 22, 2010 at 01:55:22PM -0500, Jeff Largent wrote: > Are they actually random or are they just round robined from DNS? I get a CNAME for smtp.gmail.com, and only one IP with a short TTL for that: smtp.gmail.com. 300 IN CNAME gmail-smtp-msa.l.google.com. gmail-smtp-msa.l.google.com. 300 IN A 74.125.157.109 Likewise for imap.gmail.com. 5 minutes later I tried again and got the same one. But, that could change at any time, without warning. > If they are coming from a round robin queue then when you add > smtp.gmail.com iptables will add a rule for each address it > resolves to. Right, but not for this one. > Another option may be to do a lookup on MX record for gmail.com and > add those hosts. This is not right. The submission hosts are NOT the MX hosts, nor are the MX hosts the same as the IMAP ones. Submission requires SMTP AUTH, mail exchange does not. And surely the MX hosts use extensive spam controls, as well. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html