Linux Firewall Question

F

frappe33

Limp Gawd
Joined
Oct 17, 2005
Messages
201
I inherited a Linux based Firewall and I have been learning a bit about iptables. I seem to have a machine spamming which is causing Blacklist issues. I tried to add some lines to only allow mail from trusted sources; mainly the Exchange cluster servers and the Owa server. When uncomment out the REJECT line, I can send mail OK but no messages are received from external sources. Below is the code, please pick it apart and tell me where I'm wrong and what I haven't picked up yet :) Thanks in advance for your cruel honesty...

# FORWARD
# Rule 1 to allow outbound mail only from Exchange server
# Rule 2 to deny any other outbound port 25 traffic
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j LOG --log-prefix "REJECTING SMTP CONNE$
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j REJECT
#iptables -A FORWARD -p tcp --dport 25 -j REJECT
# OUTPUT
 
Now I am no iptables expert, but I do believe your config should have some sort of entrys for incoming trusted SMTP connections. Assuming the 172.16.x.xx are all different IP's then you should have something like this:

Code: 
# FORWARD
# Rule 1 to allow outbound mail only from Exchange server
# Rule 2 to deny any other outbound port 25 traffic
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -d 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -d 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -d 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -d 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp -d 172.16.x.xx --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j LOG --log-prefix "REJECTING SMTP CONNE$
iptables -A FORWARD -p tcp --dport 25 -j REJECT
# OUTPUT

Again, I am no expert, but that would make sense to me. HopefullyI am not wrong.

Cheers
 
I'm not an expert either but I think what Dawizman posted looks about right. I have only played with IP tables for fun though, I havn't used it in a production environment.

Hopefully it's not a sin on this site to suggest another forum but if I were you I would ask this question over at www.linuxquestions.org or http://ubuntuforums.org . Both of those sites have a lot of veteran Linux people who deal with these kinds of questions every day.
 
thank to you both for your assistance. The way this appears to be set up is it is segregated in the code for outbound, and inbound; I only displayed the outbound portion as that is where my issues are. There are seperate inbound forward and output (i think these are the) sections
 
Your goals are contradictory. You set up rules to only allow connections from trusted sources, but this will also block all mail originating from outside.

If you want to block people from relaying mail on a server that needs to accept mail from the Internet, you need to do it in your SMTP server, not at the firewall.
 
Thanks again. My goal was to block a malicious program which may have it's own SMTP from sending mail OUT of the org. The trusted machines are listed individualy. How would I add a rule that would allow inbound mail but block outbound except those originating from the explicit trusted sources?
 
Can you provide a diagram or at least a description of where the client, mail server and firewall are situated on the network?
 
Not sure what that matters, but firewall is gateway feeding into a 3750 which splits to edge switches, with the email cluster and client computers connecting to numerous 2790s
 
Trying to determine if the mail server is inside or outside your network. Both setups are common... you're often using your ISP's relay. It's also common to put the firewall between the clients and servers with the servers in a DMZ as well; again, different rules required.

Assuming your clients and servers are in the same network, you should only have to create a rule for your SMTP server to accept mail from the Internet and be able to send mail out. Probably easiest to just allow all SMTP traffic to/from the mail server, so just add a couple --dport 25 rules with the e-mail server as source (or destination) on the incoming and outgoing interface. Your clients can relay mail through the internal mail server, so drop all other outgoing SMTP. Control relay rules in the mail server software itself.
 
You must log in or register to reply here.
Back
Top