How to find GMAIL IPs to allow at Firewall

From Brian Nelson Ramblings
Revision as of 17:30, 7 March 2015 by Brian (Talk | contribs) (IPV4 IPs for Google)

Jump to: navigation, search

How to find GMAIL IPs to allow at Firewall

If you are using a Hosting Provider that cares about security, you could have an issue connecting to Gmail's mail servers. They are probably blocking out bound connections over most ports. Which can cause it so that you have to add Gmail's ipaddress to the firewall rules.

How to find Gmail IPs

The first step you are going to want to do is dig for the spf record for gmail.com

dig gmail.com txt 

; <<>> DiG 9.9.2-P1 <<>> gmail.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35581
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gmail.com.			IN	TXT

;; ANSWER SECTION:
gmail.com.		300	IN	TXT	"v=spf1 redirect=_spf.google.com"

;; Query time: 52 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Apr  7 09:03:57 2014
;; MSG SIZE  rcvd: 8

Ok, now you have some information you can use, they are using _spf.google.com

Now you will want to dig at that

dig _spf.google.com txt

;  <<>> DiG 9.9.2-P1 <<>> _spf.google.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26190
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_spf.google.com.		IN	TXT

;; ANSWER SECTION:
_spf.google.com.	213	IN	TXT	"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all" 

;; Query time: 29 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Apr  7 09:04:23 2014
;; MSG SIZE  rcvd: 160

Now you will notice they have 3 netblocks setup for _spf.google.com, you will need to dig each of them to get the ipaddress you need.

The first one is the ipv4, the second one is ipv6 and the last one is a normal spf record.

Gmails IPV4 IPs

dig _netblocks.google.com txt 

; <<>> DiG 9.9.2-P1 <<>> _netblocks.google.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46828
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_netblocks.google.com.		IN	TXT

;; ANSWER SECTION:
_netblocks.google.com.	1149	IN	TXT	"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ~all"
;; Query time: 29 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Apr  7 09:04:50 2014
;; MSG SIZE  rcvd: 265

Gmails IPV6 IPs

dig _netblocks2.google.com txt

; <<>> DiG 9.9.2-P1 <<>> _netblocks2.google.com txt
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53721
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_netblocks2.google.com.		IN	TXT

;; ANSWER SECTION:
_netblocks2.google.com.	622	IN	TXT	"v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"

;; Query time: 30 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Apr  7 09:05:07 2014
;; MSG SIZE  rcvd: 218

The last block does not provide any useful information needed for obtaining IPs.

_netblocks3.google.com.	1884	IN	TXT	"v=spf1 ~all"

Summary of IPs to allow in the Firewall

IPV4 IPs for Google

64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19

IPV6 IPs for Google

2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36

Now you will want to take that list and add them to your firewall