[NTLUG:Discuss] IPChains rules (kernel 2.2) to limit smtp port 25 access
Richard Geoffrion
ntlug at rain4us.net
Mon Jul 29 21:36:39 CDT 2002
----- Original Message -----
From: "Kelledin" kelledin+NTLUG at skarpsey.dyndns.org
>On Monday 29 July 2002 05:11 pm, Bug Hunter wrote:
>> I need to limit smtp port 25 access to servers on our
>> network. We have a class c network with smtp servers, and a
>> firewall. The users behind the firewall are going out to the
>> internet and bouncing off of servers in china, etc.
>>
>> I want to limit them to our smtp server so that we can more
>> easily track them down and grind them into a pulp and stomp
>> them and ....... shudder.
>>
>>
>> The firewall is a smoothwall firewall. I have customized
>> it, but I'm not sure of the rules that would limit the smtp
>> access.
>>
>>
>> The users may be dialing in, and they may be coming in off
>> of other machines not easily traceable.
>>
>> bug
>
>Not sure about ipchains...it's been ages since I used ipchains.
>And I've never used a pre-packaged ipchains manager like
>SmoothWall...
>
>Basically what you'll need to do is block outgoing connections on
>port 25 for every node except your SMTP servers. I would
>suggest something like the following as the first rules for your
>INPUT chain:
>
>--
># beginning of ipchains script segment
>
># Set SMTP_SERVER_IPS to a list of IP addresses for your SMTP
># servers.
>SMTP_SERVER_IPS="192.168.0.1 192.168.0.2"
>
># Set PRIVATE_INTERFACE to whatever interface the firewall uses
># to reach the internal network.
>PRIVATE_INTERFACE="eth0"
>
>for SIP in ${SMTP-SERVER-IPS}; do
> /sbin/ipchains -t INPUT \
> -i $PRIVATE_INTERFACE \
> -s ${SIP}/32 \
> --destination-port 25 \
> -p TCP \
> -j ACCEPT
>done
>
># now add a rule to deny any SMTP access not authorized by the
># above rules.
>/sbin/ipchains -t INPUT \
> -i $PRIVATE-INTERFACE \
> --destination-port 25 \
> -p TCP \
> -j DENY
>
># end of ipchains script segment
>--
>
What about a rule to redirect all outbound port 25 traffic to a local SMTP
server. I've seen other ISPs do this...most noticably AOHell and BigPlanet.
Any attempt to telnet out to a port 25 brings you to one of their smtp
'washer' servers....which presumably is in place to strip lovebug and
melissa worms...
Not that I know how to make the firewall rule myself, see.....I'm just the
idea man. :)
Happy Hunting, bug
/dev/rtcg
More information about the Discuss
mailing list