Link to home
Start Free TrialLog in
Avatar of HighTechGeek
HighTechGeekFlag for United States of America

asked on

Windows SBS2003 NAT & Firewall config: outbound SMTP filter

Windows Small Business Server 2003 SP2
Setup as mail server with static IP address, 2 NICs, NAT and firewall

My new mail server is being blacklisted.

Spamhaus says it's because I have a client PC infected with a spam bot. I can see from the NAT Session Mapping Table which client PC is the problem, but they say I "must configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers"

I need help doing that.

From "Routing and Remote Access", I can open my SERVER, go to "IP Routing" and see "NAT/Basic Firewall"

This lists my interfaces.

Right-clicking on my external interface and choosing "Show Mappings", I can see that one of my client PC's Private Address 192.168.1.14 is using TCP Outbound Remote Port 25 excessively. I want to block this for all clients (and then I'll fix the issue on the client PC!)

When I go to the "Properties" of my external interface, it is set up as a "Public Interface connected to the Internet". Both "Enable NAT" and "Enable a basic firewall" are checked.

I assume I need to setup an "Outbound Filter", but when I do and try to add a new filter, I have to enter a source IP and Subnet Mask, a destination IP and Subnet Mask and a protocol. The protocol would be port 25. When I try to enter 192.168.1.14 and 255.255.255.0 for the source, I get a message "The IP address and the subnet mask entered are not compatible. Confirm that both values are correct before continuing."

help.

Thanks,
Dan

ASKER CERTIFIED SOLUTION
Avatar of BBRazz
BBRazz
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of HighTechGeek

ASKER

I will try that!

What Destination Network IP/subnet do I enter?

I really want it to be "Any" or "All".

If I don't check the "Destination Network" will this accomplish that?
Do I need to enter 0.0.0.0/0.0.0.0 or something like that?

I think what I want to do is block port 25 from my client's computer to all outside addresses.
For General Routing 0.0.0.0 /0.0.0.0 should do
OK. The 255.255.255.255 worked.

By not checking Destination Network, it set it to ANY
By not entering a source port, it set it to ANY and then when I edit it, it says source port = 0 (this is okay, I think).

So now I have the following:
Protocol: TCP
Source Port or Type: Any
Destination Port or Code: 25

However, when I went back to the "Show Mappings", the terminology is different:
"Private Address" and "Private Port"
"Public Address" and "Public Port"
"Remote Address" and "Remote Port"

It's the Remote Port that is always 25
and the Private Address is always my client's internal IP
and the Public Address is always my server's external IP

The Private Port and Public Port are different in each session listed

So did I configure it correctly to accomplish my what I want?

Would "source port" in the filter be "private port" in the Mappings log?
Would "destination port" in the filter be the "remote port" in the Mappings log? Or would it be the "public port"?

I guess I can wait and see if the log stops filling up with entries, but I also need to check that I didn't screw up this client PCs ability to send email through the server.
Thanks for the help so far, BBRazz! I have to go onsite this afternoon and check out the results of my tinkering. I will report back later...

Oh, I also need to get that spam bot off the client! lol :-)
It appears that it is all the right way round!

GO to site and give it a try!!
Thanks for the help, BBRazz. I would have liked to have had more specifics concerning the configuration boxes, but I'm not sure if you're a Small Business Server expert or just a general networking expert... regardless, you got me through! I still need to figure out how to monitor the traffic to ensure that the client's issue has been resolved. The virus kept re-infecting the PC, but I think I got it nailed. I would like to put a general rule on the server to block all clients from using port 25. Thanks.