[NTLUG:Discuss] IPChains rules (kernel 2.2) to limit smtp port 25 access
Kelledin
kelledin+NTLUG at skarpsey.dyndns.org
Mon Jul 29 17:53:40 CDT 2002
On Monday 29 July 2002 05:11 pm, Bug Hunter wrote:
> I need to limit smtp port 25 access to servers on our
> network. We have a class c network with smtp servers, and a
> firewall. The users behind the firewall are going out to the
> internet and bouncing off of servers in china, etc.
>
> I want to limit them to our smtp server so that we can more
> easily track them down and grind them into a pulp and stomp
> them and ....... shudder.
>
>
> The firewall is a smoothwall firewall. I have customized
> it, but I'm not sure of the rules that would limit the smtp
> access.
>
>
> The users may be dialing in, and they may be coming in off
> of other machines not easily traceable.
>
> bug
Not sure about ipchains...it's been ages since I used ipchains.
And I've never used a pre-packaged ipchains manager like
SmoothWall...
Basically what you'll need to do is block outgoing connections on
port 25 for every node except your SMTP servers. I would
suggest something like the following as the first rules for your
INPUT chain:
--
# beginning of ipchains script segment
# Set SMTP_SERVER_IPS to a list of IP addresses for your SMTP
# servers.
SMTP_SERVER_IPS="192.168.0.1 192.168.0.2"
# Set PRIVATE_INTERFACE to whatever interface the firewall uses
# to reach the internal network.
PRIVATE_INTERFACE="eth0"
for SIP in ${SMTP-SERVER-IPS}; do
/sbin/ipchains -t INPUT \
-i $PRIVATE_INTERFACE \
-s ${SIP}/32 \
--destination-port 25 \
-p TCP \
-j ACCEPT
done
# now add a rule to deny any SMTP access not authorized by the
# above rules.
/sbin/ipchains -t INPUT \
-i $PRIVATE-INTERFACE \
--destination-port 25 \
-p TCP \
-j DENY
# end of ipchains script segment
--
--
Kelledin
"If a server crashes in a server farm and no one pings it, does
it still cost four figures to fix?"
More information about the Discuss
mailing list