[NTLUG:Discuss] IPChains rules (kernel 2.2) to limit smtp port 25 access

Richard Geoffrion ntlug at rain4us.net
Mon Jul 29 21:36:39 CDT 2002


----- Original Message -----
From: "Kelledin" kelledin+NTLUG at skarpsey.dyndns.org

>On Monday 29 July 2002 05:11 pm, Bug Hunter wrote:
>>   I need to limit smtp port 25 access to servers on our
>> network.  We have a class c network with smtp servers, and a
>> firewall. The users behind the firewall are going out to the
>> internet and bouncing off of servers in china, etc.
>>
>>  I want to limit them to our smtp server so that we can more
>> easily track them down and grind them into a pulp and stomp
>> them and ....... shudder.
>>
>>
>>   The firewall is a smoothwall firewall.  I have customized
>> it, but I'm not sure of the rules that would limit the smtp
>> access.
>>
>>
>>   The users may be dialing in, and they may be coming in off
>> of other machines not easily traceable.
>>
>> bug
>
>Not sure about ipchains...it's been ages since I used ipchains.
>And I've never used a pre-packaged ipchains manager like
>SmoothWall...
>
>Basically what you'll need to do is block outgoing connections on
>port 25 for every node except your SMTP servers.  I would
>suggest something like the following as the first rules for your
>INPUT chain:
>
>--
># beginning of ipchains script segment
>
># Set SMTP_SERVER_IPS to a list of IP addresses for your SMTP
># servers.
>SMTP_SERVER_IPS="192.168.0.1 192.168.0.2"
>
># Set PRIVATE_INTERFACE to whatever interface the firewall uses
># to reach the internal network.
>PRIVATE_INTERFACE="eth0"
>
>for SIP in ${SMTP-SERVER-IPS}; do
>    /sbin/ipchains -t INPUT \
>                   -i $PRIVATE_INTERFACE \
>                   -s ${SIP}/32 \
>                   --destination-port 25 \
>                   -p TCP \
>                   -j ACCEPT
>done
>
># now add a rule to deny any SMTP access not authorized by the
># above rules.
>/sbin/ipchains -t INPUT \
>               -i $PRIVATE-INTERFACE \
>               --destination-port 25 \
>               -p TCP \
>              -j DENY
>
># end of ipchains script segment
>--
>

What about a rule to redirect all outbound port 25 traffic to a local SMTP
server.  I've seen other ISPs do this...most noticably AOHell and BigPlanet.
Any attempt to telnet out to a port 25 brings you to one of their smtp
'washer' servers....which presumably is in place to strip lovebug and
melissa worms...

Not that I know how to make the firewall rule myself, see.....I'm just the
idea man.  :)

Happy Hunting, bug

/dev/rtcg






More information about the Discuss mailing list