re-route requests on filtered smtp port 25

Jason asked:

My VPN filters port 25 (to prevent spam) but my ISP doesn’t. The VPN takes over all traffic and changes the default gateway? How can I bypass the VPN to send mail? I want all outgoing traffic except on port 25 to continue using the VPN.

My setup:

router 192.168.0.1 (this is the default gateway when VPN is not connected)
eth0 192.168.0.185
tun0 10.8.0.202

I tried to use iptables to do something with –dport 25 but I don’t really know my way around the firewall.

I am using Ubuntu 12.10.

Another thing is that 192.168.0.185 runs several servers (web, mail, ssh, …). The 192.168.0.1 router forwards requests on those ports (80, 443, …) to 192.168.0.185. To stop the VPN from interfering with this, I run:

ip rule add from 192.168.0.185 table 10
ip route add default via 192.168.0.1 table 10

All of my servers started working except mail (because of the same issue with port 25?) so I changed postfix to run on 2525 (and had the router forward port 25 there) and that got it working.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.8.0.201      128.0.0.0       UG    0      0        0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0
10.8.0.1        10.8.0.201      255.255.255.255 UGH   0      0        0 tun0
10.8.0.201      0.0.0.0         255.255.255.255 UH    0      0        0 tun0
46.21.99.21     192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.8.0.201      128.0.0.0       UG    0      0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0

My answer:


Two possibilities come to mind:

  1. Add a static route to your external mail server’s IP address which is explicitly routed via the Ethernet interface instead of the default route.

  2. Send out your outgoing mail to the external mail server on the submission port (587).

The best answer, though, is to run the mail server on a different (virtual) machine than the VPN, so that you can route its traffic appropriately. Routes can only be specified by IP address/network, not by port number.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.