[Firewall] Block SMTP traffic out

Dennis van der Meer iptables at greenchem-adblue.com
Wed Mar 3 15:34:33 CET 2010


Hi,

What I mean by not working is that nothing is blocked internally.
So, even if I would block port 25 for the whole LAN I can still connect
to it by using an internal host and for example use: telnet mailserver
25 to connect to my mail provider

I use one plugin since I have several countries that connect via ipsec
vpn to my Linux server to use several services:
	ipsec-vpn.conf

If I don't include this plugin then the vpn clients will have problems
accessing several services in my internal LAN.
Just to be complete I have included this plugin in this email.

I never had problems blocking external (internet interface) hosts from
connecting to my LAN but as far as I can remember it has never been
possible for me to block LAN access to certain internet hosts/services.
I always thought this to be a configuration problem on my end and didn't
bother with it too much since I had no real need for it anyway. But now
with the disruption of our email services I want to set things a little
bit tighter and now it has become more of a problem.


Dennis

-----Original Message-----
From: firewall-bounces at rocky.eld.leidenuniv.nl
[mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno van
Amersfoort
Sent: woensdag 3 maart 2010 15:17
To: Arno's IPTABLES firewall script
Subject: Re: [Firewall] Block SMTP traffic out

Weird: Just tested it here with 1.9.2j and this just works and I don't
recall any relevent changes between 1.9.2j and 1.9.2d that may explain
this. What do you "exactly" mean by not working?: Your mailserver not
being able to connect to an outside host on port 25, or your other
internal hosts still being able to access port 25 on external hosts?

a.

Dennis van der Meer wrote:
> root at linuxserver:/etc/arno-iptables-firewall#
> /usr/local/sbin/arno-iptables-firewall start Arno's Iptables Firewall 
> Script v1.9.2d
> ----------------------------------------------------------------------
> --
> -------
> Sanity checks passed...OK
> Checking/probing IPv4 Iptables modules:
>  Module check done...
> Setting the kernel ring buffer to only log panic messages to the 
> console Setup kernel settings:
>  Setting the max. amount of simultaneous connections to 16384  Setting

> default conntrack timeouts  Enabling protection against source routed 
> packets  Enabling packet forwarding  Enabling reduction of the DoS'ing

> ability  Enabling anti-spoof with rp_filter  Enabling SYN-flood 
> protection via SYN-cookies  Disabling the logging of martians  
> Disabling the acception of ICMP-redirect messages  Setting default 
> TTL=64  Disabling ECN (Explicit Congestion Notification)  Flushing 
> route table  Kernel setup done...
> Initializing firewall chains
>  Setting default INPUT/FORWARD policy to DROP (Re)loading list of 
> BLOCKED hosts from /etc/arno-iptables-firewall/blocked-hosts...
>  1 line(s) read. 1 host(s) blocked.
> Using loglevel "info" for syslogd
> 
> Setting up firewall rules:
> ----------------------------------------------------------------------
> --
> -------
> Enabling setting the maximum packet size via MSS Enabling mangling TOS

> Logging of stealth scans (nmap probes etc.) enabled Logging of packets

> with bad TCP-flags enabled Logging of INVALID TCP packets disabled 
> Logging of INVALID UDP packets disabled Logging of INVALID ICMP 
> packets disabled Logging of fragmented packets enabled Logging of 
> access from reserved addresses enabled Setting up (antispoof) INTERNAL

> net(s): 192.168.2.0/24 172.16.0.0/24 Logging outgoing TCP port(s): 25 
> Reading custom rules from /etc/arno-iptables-firewall/custom-rules
> Checking for (user) plugins in
> /usr/local/share/arno-iptables-firewall/plugins...
>  IPsec VPN plugin v0.70BETA
>   Allowing internet hosts 0/0 to access the VPN service  Loaded 1 
> plugin(s)...
> Setting up INPUT policy for the external net (INET):
>  Logging of explicitly blocked hosts enabled  Logging of denied local 
> output connections enabled  Denying ANYHOST for TCP port(s) (NO LOG): 
> 113  Packets will NOT be checked for private source addresses
>  (92.64.243.27) Allowing ANYHOST for TCP port(s): 80
>  (eth0) Allowing ANYHOST for TCP port(s): 1723,5500
>  (92.64.243.26) Allowing ANYHOST for UDP port(s): 500,4500  Allowing 
> ANYHOST for IP protocol(s): 47,50,51  Allowing ANYHOST to send 
> ICMP-requests(ping)  Logging of dropped ICMP-request(ping) packets 
> enabled  Logging of dropped other ICMP packets enabled  Logging of 
> possible stealth scans enabled  Logging of (other) connection attempts

> to PRIVILEGED TCP ports enabled  Logging of (other) connection 
> attempts to PRIVILEGED UDP ports enabled  Logging of (other) 
> connection attempts to UNPRIVILEGED TCP ports enabled  Logging of 
> (other) connection attempts to UNPRIVILEGED UDP ports enabled  Logging

> of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled  
> Logging of ICMP flooding enabled Setting up OUTPUT policy for the 
> external net (INET):
>  Allowing all (other) ports/protocols
> Applying INET policy to external interface: eth0 (without an external 
> subnet specified) Setting up INPUT policy for internal (LAN) 
> interface(s): eth1  Allowing ICMP-requests(ping)  Allowing all (other)

> ports/protocols Accepting ALL INPUT traffic from trusted interface(s):

> eth1 Accepting ALL FORWARD traffic for trusted interface(s): eth1 
> Setting up trust FORWARD policy for interface(s): eth1 Setting up 
> FORWARD policy for internal (LAN) interface(s): eth1  Logging of 
> denied LAN->INET FORWARD connections enabled  Setting up LAN->INET 
> policy:
>   Allowing 192.168.2.4(LAN) to 0/0(INET) for TCP port(s): 25
>   Denying 0/0(LAN) to 0/0(INET) for TCP port(s): 25
>   Allowing ICMP-requests(ping)
>   Denying TCP port(s): 25
>   Allowing all (other) TCP ports
>   Allowing all (other) UDP ports
>   Allowing all (other) protocols
> Enabling masquerading(NAT) via external interface(s): eth0  Adding 
> (internal) host(s): 192.168.2.0/24 172.16.0.0/24
> (eth0) (92.64.243.26) Forwarding(NAT) TCP port(s) 0/0:443,1110 to
> 192.168.2.4
> Security is ENFORCED for external interface(s) in the FORWARD chain
> 
> Mar 03 14:38:07 All firewall rules applied.
> 
> -----Original Message-----
> From: firewall-bounces at rocky.eld.leidenuniv.nl
> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno 
> van Amersfoort
> Sent: woensdag 3 maart 2010 14:20
> To: Arno's IPTABLES firewall script
> Subject: Re: [Firewall] Block SMTP traffic out
> 
> Weird, looks all ok. What's the output of 
> /usr/local/sbin/arno-iptables-firewall start ?
> 
> 
> Dennis van der Meer wrote:
>> Sorry, but it doesn't work. I have added my firewall.conf because
> maybe
>> something is overriding the settings.
>>
>>
>> Dennis
>>
>> -----Original Message-----
>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno
> van
>> Amersfoort
>> Sent: woensdag 3 maart 2010 12:47
>> To: Arno's IPTABLES firewall script
>> Subject: Re: [Firewall] Block SMTP traffic out
>>
>> What you probably want it:
>>
>> LAN_INET_DENY_TCP="25"
>> LAN_INET_HOST_OPEN_TCP="mailserver_lan_ip>0/0~25"
>>
>> That should do it. It simply blocks all TCP port 25 traffic but since

>> the HOST_OPEN rules overrule the DENY_TCP rule it will create an 
>> exception for your mailserver....
>>
>> a.
>>
>> Dennis van der Meer wrote:
>>> Hi Lonnie,
>>>
>>> This unfortunately does nothing.
>>> I tried DENY_TCP="25" and it does nothing. I don't see anything in
> the
>>> log
>>> I tried REJECT_TCP="25" and it also does nothing. Once again I don't
>> see
>>> anything in the log.
>>> I tried HOST_DENY_TCP="0/0~25" and it also does nothing. Also 
>>> nothing
>> in
>>> the log appears.
>>> I also tried LAN_INET_DENY_TCP="25" and, you guessed it, it does 
>>> nothing. Same with log information.
>>> And I have them all activated at once but absolutely nothing is
>> blocked
>>> at all.
>>>
>>> I can block ports from outside to inside but nothing from inside to 
>>> outside is blocked, unless it is on the Linux server directly.
>>>
>>> I can still telnet from my client to a server on port 25. All 
>>> clients have my Linux system as the default gateway so it should do 
>>> something.
>>>
>>>
>>> P.s. The version I use is 1.9.2d
>>>
>>>
>>> Dennis
>>>
>>> -----Original Message-----
>>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of 
>>> Lonnie Abelbeck
>>> Sent: dinsdag 2 maart 2010 14:27
>>> To: Arno's IPTABLES firewall script
>>> Subject: Re: [Firewall] Block SMTP traffic out
>>>
>>> Dennis,
>>>
>>> Ahhh, I didn't fully understand your wishes...
>>>
>>>
LAN_INET_HOST_OPEN_TCP="internal_mail_server>external_mail_server~25"
>>> LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>
>>> should block all outbound SMTP, except for your internal mail server
>> to
>>> your external relay mail server.
>>>
>>> Is this what you want?
>>>
>>> Lonnie
>>>
>>>
>>> On Mar 2, 2010, at 3:31 AM, Dennis van der Meer wrote:
>>>
>>>> Hi Lonnie,
>>>>
>>>> I tried setting the 2 settings that you gave me but I am still able
>> to
>>>> connect to port 25 of our
>>>> providers email server from my workstation. Access to port 25 to 
>>>> any system on the internet should be blocked for the entire LAN 
>>>> except for 1 system.
>>>> Since I use NAT to forward all internal traffic to the outside, can
>>> this
>>>> be the problem? Because when I log traffic I only see a message in 
>>>> the log when the Linux server forwards an email to
>>> our
>>>> Exchange server (so on the server directly).
>>>>
>>>>
>>>> P.s. I did do a reboot after the changes.
>>>>
>>>>
>>>> Dennis
>>>>
>>>> -----Original Message-----
>>>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>>>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of
> Lonnie
>>>> Abelbeck
>>>> Sent: dinsdag 2 maart 2010 4:56
>>>> To: Arno's IPTABLES firewall script
>>>> Subject: Re: [Firewall] Block SMTP traffic out
>>>>
>>>> Dennis,
>>>>
>>>> You are on the right track, but try:
>>>>
>>>> LAN_INET_HOST_OPEN_TCP="0/0>ip_of_mail_server~25"
>>>> LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>>
>>>> When testing, understand that established states are maintained 
>>>> when
>>> the
>>>> firewall is 'restart'-ed, so a reboot might be in order to clear 
>>>> out
>>> any
>>>> previous outbound TCP 25 states.
>>>>
>>>> Lonnie
>>>>
>>>>
>>>> On Mar 1, 2010, at 8:12 AM, Dennis van der Meer wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We are currently having a problem that more and more of our email
> is
>>>> being blocked since we are on
>>>>> a spam list. Since we don't spam ourselves (and I am certain of 
>>>>> it)
>> I
>>>> think we have a spam bot running in
>>>>> our network. Unfortunately the network is too large to scan each
> and
>>>> every computer for any spam bots
>>>>> so I would like to do something else instead.
>>>>> We have Outlook clients that connect to an Exchange server. The
>>>> Exchange server is the only server that
>>>>> will send email out. All email traffic goes through a Linux 
>>>>> gateway
>>>> that runs the Arno iptables firewall script.
>>>>> So I was thinking of blocking port 25 and logging attempts for
> every
>>>> machine but the mail server.
>>>>> I already tried to set this in the firewall script but somehow it
> is
>>>> not working as it should.
>>>>> I tried setting the following already:
>>>>>                LAN_INET_HOST_OPEN_TCP="ip_of_mail_server>0/0~25"
>>>>>                LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>>>
>>>>> Can anyone tell me what to set in the config to accomplish what I
>>>> want?
>>>>> Dennis
>>>>>
>>>>> _______________________________________________
>>>>> Firewall mailing list
>>>>> Firewall at rocky.eld.leidenuniv.nl
>>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>>> http://rocky.eld.leidenuniv.nl
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>>>
>>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>
>>
> ----------------------------------------------------------------------
> --
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
> 

--
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
------------------------------------------------------------------------
---
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl
_______________________________________________
Firewall mailing list
Firewall at rocky.eld.leidenuniv.nl
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec-vpn.conf
Type: application/octet-stream
Size: 1067 bytes
Desc: ipsec-vpn.conf
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20100303/34684d0c/attachment-0001.obj>


More information about the Firewall mailing list