This topic is dedicated to questions and comments related to the IN - Input Gateway with firewall (iptables) appliance.
The IN data sheet can be found at:
AppLogic 2.4.x: http://doc.3tera.net/AppLogic24/CatGatewayIn.html
AppLogic 2.7.x: http://doc.3tera.net/AppLogic27/CatGatewayIn.html (page will be published concurrently with 2.7 release)

Please post any questions and/or comments here.

I need to add a rule to the gateway IP tables, can't do this through the web GUI because I need to specify allowed host IP to port.

I logged into the gateway and added the rule and all looked good, it showed up in iptables -L but after a reboot went back to the old rules.

what else do i need to allow it to pick up this rule?

avantassel,

If you want to modify the built-in behavior of the appliance, you need to branch the IN appliance (while the app is stopped), make the changes, test them. Then you can move the modified IN gateway to your user catalog and use it instead of the standard IN gateway. Note that the appliance generates the iptables config file, so make sure you modify the template rather than the generated file -- see the scripts in the /appliance directory after branching the appliance. For more info on creating custom appliances, see the Appliance Creation Guide (http://doc.3tera.net/AppLogic2/GuideApplianceCreation.html) -- except start from IN as a template and not LUX.

BTW, is the rule you want to something that others may need? If you can share it here, we will consider adding it as an option in future releases of the IN gateway.

Best regards,
-- Peter

We are trying to allow relaying from a specific IP on another network through one of our mail servers. However since there is an IN appliance in front of it, setting the access rules for Postfix don't work, as the requests appear to be coming from the private 10. address of the IN appliance. We can't setup IP level access on the IN appliance since it need to accept mail from anywhere on the net. But we need to open up at the application level (Postifx) to allow relaying from a specific IP. Any ideas on how we might get Postfix to see the actual public IP?

Thanks

-dg

Unfortunately, for now, we don't have a way to do this except for http/https (unless you want to bypass the gateway and open the external interface on the postfix appliance).

One solution to the problem is to have two IN gateways -- one unconstrained, for public incoming access; and another for the relay. The second IN gateway will be constrained with allow_hosts to allow only the IP that you want to do relay from.

This way, you will get different incoming IPs for the public (non-relay) and private (relay) traffic.

One issue that would remain is that the addresses are dynamically assigned (even though they appear constant); to be able to easily distinguish which one you received from, you can simply add a second input terminal to the postfix appliance. Then you will have a pub and pvt (or rly) inputs; then you will connect the public gateway to pub and the private gateway to pvt. You can then see on which input you received the request (if postfix allows you this). Or use the connections map created by AppLogic to see which incoming IP arrives on the private terminal.

A simpler approach may be to use a different port for the relayable traffic (not sure if it's doable, which is why this is my second approach).

If you need more details on the first approach, let me know.

Best regards,
- Peter