[Firewall] Block SMTP traffic out

Dennis van der Meer iptables at greenchem-adblue.com
Wed Mar 3 14:39:36 CET 2010


root at linuxserver:/etc/arno-iptables-firewall#
/usr/local/sbin/arno-iptables-firewall start
Arno's Iptables Firewall Script v1.9.2d
------------------------------------------------------------------------
-------
Sanity checks passed...OK
Checking/probing IPv4 Iptables modules:
 Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Setup kernel settings:
 Setting the max. amount of simultaneous connections to 16384
 Setting default conntrack timeouts
 Enabling protection against source routed packets
 Enabling packet forwarding
 Enabling reduction of the DoS'ing ability
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Flushing route table
 Kernel setup done...
Initializing firewall chains
 Setting default INPUT/FORWARD policy to DROP
(Re)loading list of BLOCKED hosts from
/etc/arno-iptables-firewall/blocked-hosts...
 1 line(s) read. 1 host(s) blocked.
Using loglevel "info" for syslogd

Setting up firewall rules:
------------------------------------------------------------------------
-------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up (antispoof) INTERNAL net(s): 192.168.2.0/24 172.16.0.0/24
Logging outgoing TCP port(s): 25
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in
/usr/local/share/arno-iptables-firewall/plugins...
 IPsec VPN plugin v0.70BETA
  Allowing internet hosts 0/0 to access the VPN service
 Loaded 1 plugin(s)...
Setting up INPUT policy for the external net (INET):
 Logging of explicitly blocked hosts enabled
 Logging of denied local output connections enabled
 Denying ANYHOST for TCP port(s) (NO LOG): 113
 Packets will NOT be checked for private source addresses
 (92.64.243.27) Allowing ANYHOST for TCP port(s): 80
 (eth0) Allowing ANYHOST for TCP port(s): 1723,5500
 (92.64.243.26) Allowing ANYHOST for UDP port(s): 500,4500
 Allowing ANYHOST for IP protocol(s): 47,50,51
 Allowing ANYHOST to send ICMP-requests(ping)
 Logging of dropped ICMP-request(ping) packets enabled
 Logging of dropped other ICMP packets enabled
 Logging of possible stealth scans enabled
 Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED TCP ports
enabled
 Logging of (other) connection attempts to UNPRIVILEGED UDP ports
enabled
 Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
enabled
 Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
 Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external
subnet specified)
Setting up INPUT policy for internal (LAN) interface(s): eth1
 Allowing ICMP-requests(ping)
 Allowing all (other) ports/protocols
Accepting ALL INPUT traffic from trusted interface(s): eth1
Accepting ALL FORWARD traffic for trusted interface(s): eth1
Setting up trust FORWARD policy for interface(s): eth1
Setting up FORWARD policy for internal (LAN) interface(s): eth1
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing 192.168.2.4(LAN) to 0/0(INET) for TCP port(s): 25
  Denying 0/0(LAN) to 0/0(INET) for TCP port(s): 25
  Allowing ICMP-requests(ping)
  Denying TCP port(s): 25
  Allowing all (other) TCP ports
  Allowing all (other) UDP ports
  Allowing all (other) protocols
Enabling masquerading(NAT) via external interface(s): eth0
 Adding (internal) host(s): 192.168.2.0/24 172.16.0.0/24
(eth0) (92.64.243.26) Forwarding(NAT) TCP port(s) 0/0:443,1110 to
192.168.2.4
Security is ENFORCED for external interface(s) in the FORWARD chain

Mar 03 14:38:07 All firewall rules applied.

-----Original Message-----
From: firewall-bounces at rocky.eld.leidenuniv.nl
[mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno van
Amersfoort
Sent: woensdag 3 maart 2010 14:20
To: Arno's IPTABLES firewall script
Subject: Re: [Firewall] Block SMTP traffic out

Weird, looks all ok. What's the output of 
/usr/local/sbin/arno-iptables-firewall start ?


Dennis van der Meer wrote:
> Sorry, but it doesn't work. I have added my firewall.conf because
maybe
> something is overriding the settings.
> 
> 
> Dennis
> 
> -----Original Message-----
> From: firewall-bounces at rocky.eld.leidenuniv.nl
> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno
van
> Amersfoort
> Sent: woensdag 3 maart 2010 12:47
> To: Arno's IPTABLES firewall script
> Subject: Re: [Firewall] Block SMTP traffic out
> 
> What you probably want it:
> 
> LAN_INET_DENY_TCP="25"
> LAN_INET_HOST_OPEN_TCP="mailserver_lan_ip>0/0~25"
> 
> That should do it. It simply blocks all TCP port 25 traffic but since 
> the HOST_OPEN rules overrule the DENY_TCP rule it will create an 
> exception for your mailserver....
> 
> a.
> 
> Dennis van der Meer wrote:
>> Hi Lonnie,
>>
>> This unfortunately does nothing.
>> I tried DENY_TCP="25" and it does nothing. I don't see anything in
the
>> log
>> I tried REJECT_TCP="25" and it also does nothing. Once again I don't
> see
>> anything in the log.
>> I tried HOST_DENY_TCP="0/0~25" and it also does nothing. Also nothing
> in
>> the log appears.
>> I also tried LAN_INET_DENY_TCP="25" and, you guessed it, it does
>> nothing. Same with log information.
>> And I have them all activated at once but absolutely nothing is
> blocked
>> at all.
>>
>> I can block ports from outside to inside but nothing from inside to
>> outside is blocked, unless it is
>> on the Linux server directly.
>>
>> I can still telnet from my client to a server on port 25. All clients
>> have my Linux system
>> as the default gateway so it should do something.
>>
>>
>> P.s. The version I use is 1.9.2d
>>
>>
>> Dennis
>>
>> -----Original Message-----
>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Lonnie
>> Abelbeck
>> Sent: dinsdag 2 maart 2010 14:27
>> To: Arno's IPTABLES firewall script
>> Subject: Re: [Firewall] Block SMTP traffic out
>>
>> Dennis,
>>
>> Ahhh, I didn't fully understand your wishes...
>>
>> LAN_INET_HOST_OPEN_TCP="internal_mail_server>external_mail_server~25"
>> LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>
>> should block all outbound SMTP, except for your internal mail server
> to
>> your external relay mail server.
>>
>> Is this what you want?
>>
>> Lonnie
>>
>>
>> On Mar 2, 2010, at 3:31 AM, Dennis van der Meer wrote:
>>
>>> Hi Lonnie,
>>>
>>> I tried setting the 2 settings that you gave me but I am still able
> to
>>> connect to port 25 of our
>>> providers email server from my workstation. Access to port 25 to any
>>> system on the internet should be blocked for the entire
>>> LAN except for 1 system.
>>> Since I use NAT to forward all internal traffic to the outside, can
>> this
>>> be the problem? Because when I log traffic I only
>>> see a message in the log when the Linux server forwards an email to
>> our
>>> Exchange server (so on the server directly).
>>>
>>>
>>> P.s. I did do a reboot after the changes.
>>>
>>>
>>> Dennis
>>>
>>> -----Original Message-----
>>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of
Lonnie
>>> Abelbeck
>>> Sent: dinsdag 2 maart 2010 4:56
>>> To: Arno's IPTABLES firewall script
>>> Subject: Re: [Firewall] Block SMTP traffic out
>>>
>>> Dennis,
>>>
>>> You are on the right track, but try:
>>>
>>> LAN_INET_HOST_OPEN_TCP="0/0>ip_of_mail_server~25"
>>> LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>
>>> When testing, understand that established states are maintained when
>> the
>>> firewall is 'restart'-ed, so a reboot might be in order to clear out
>> any
>>> previous outbound TCP 25 states.
>>>
>>> Lonnie
>>>
>>>
>>> On Mar 1, 2010, at 8:12 AM, Dennis van der Meer wrote:
>>>
>>>> Hi,
>>>>
>>>> We are currently having a problem that more and more of our email
is
>>> being blocked since we are on
>>>> a spam list. Since we don't spam ourselves (and I am certain of it)
> I
>>> think we have a spam bot running in
>>>> our network. Unfortunately the network is too large to scan each
and
>>> every computer for any spam bots
>>>> so I would like to do something else instead.
>>>> We have Outlook clients that connect to an Exchange server. The
>>> Exchange server is the only server that
>>>> will send email out. All email traffic goes through a Linux gateway
>>> that runs the Arno iptables firewall script.
>>>> So I was thinking of blocking port 25 and logging attempts for
every
>>> machine but the mail server.
>>>> I already tried to set this in the firewall script but somehow it
is
>>> not working as it should.
>>>> I tried setting the following already:
>>>>                LAN_INET_HOST_OPEN_TCP="ip_of_mail_server>0/0~25"
>>>>                LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>>
>>>> Can anyone tell me what to set in the config to accomplish what I
>>> want?
>>>> Dennis
>>>>
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
> 
> 
>
------------------------------------------------------------------------
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
------------------------------------------------------------------------
---
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl
_______________________________________________
Firewall mailing list
Firewall at rocky.eld.leidenuniv.nl
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list