How to Block Port 25 on entire LAN except my Mail-Server using IPCop v 1.4.21
Hi,
I have IPCop v1.4.21 and I am trying to block all port 25 traffic on my green interface except for my Mail-Servers IP Address. I have looked up a few site on the web so far and I have added the following into my
vi /etc/rc.d/rc.firewall.loca
## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT
x.x.x.x being the IP address I would like to ALLOW access and y.y.y.y being my MAIL-SERVER....
This however doesn't seem to be working...
Can anyone help me? What should I do next? How do I ensure that these changes I have made to this file are actually initiating on boot?
Thank in advacne
I have IPCop v1.4.21 and I am trying to block all port 25 traffic on my green interface except for my Mail-Servers IP Address. I have looked up a few site on the web so far and I have added the following into my
vi /etc/rc.d/rc.firewall.loca
## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT
x.x.x.x being the IP address I would like to ALLOW access and y.y.y.y being my MAIL-SERVER....
This however doesn't seem to be working...
Can anyone help me? What should I do next? How do I ensure that these changes I have made to this file are actually initiating on boot?
Thank in advacne
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am trying to only allow port 25 access to my MAIL-SERVER and ONE other PC on my LAN.....
I put that code into /etc/rc.d/rc.firewall.loca
I then came accross a website explaining how to use IPTABLES..... So now I have added all the lines I need directly into IPTABLES... This sorts out all my problems, however when ever I reboot the IPCop machine, it flushes the IPTABLES back to it's original settings and all my CUSTOMFORWARDS are removed...
How do I save all my CUSTOMFORWARD entries so that when the machine reboots it keeps them????
Regards
Lynton
I put that code into /etc/rc.d/rc.firewall.loca
I then came accross a website explaining how to use IPTABLES..... So now I have added all the lines I need directly into IPTABLES... This sorts out all my problems, however when ever I reboot the IPCop machine, it flushes the IPTABLES back to it's original settings and all my CUSTOMFORWARDS are removed...
How do I save all my CUSTOMFORWARD entries so that when the machine reboots it keeps them????
Regards
Lynton
ASKER
AH!!!! I am not doing the following as you suggested:
'/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.
I'll give that a quick bash and see.... I am extremely new to this. :)
Thank you!
'/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.
I'll give that a quick bash and see.... I am extremely new to this. :)
Thank you!
ASKER
I edited the file using vi. Added the '/sbin/iptables -N CUSTOMFORWARD' before thr rule refernced the CUSTOMFORWARD chain. saved it and rebooted the machine... then tested one of the other pc's on the lan but it still has access to port 25....
I then ran IPTABLES --LIST and there were no rules defined under the customforward section... what am I doing wrong?
I then ran IPTABLES --LIST and there were no rules defined under the customforward section... what am I doing wrong?
Does it empty /etc/rc.d/rc.firewall.loca
iIf you insert the rules into a running IPTables and they work, run iptables-save to save a script of your active rules. save it as rc.firewall and see how you go.
iIf you insert the rules into a running IPTables and they work, run iptables-save to save a script of your active rules. save it as rc.firewall and see how you go.
ASKER
It doesn't empty the rc.firewall.local file, on reboot it would seem that the scripts (as pasted in original message above) just doesn't run. (after a reboot I can edit the rc.firewall.local file and all my goodies are in there - but just doesn't seem to take effect)
The IPTables-Save command would probably be the answer however in IPCop, the developers did not included this function, I have tried saving it for the past 10 hours and no luck... I am sitting here at my office now on Saturday monring battling with this again....
When I append strings to the customforward chain in IPtables and I run IPtables --list I can physically see my changes and everything works perfectly until next reboot. It would seem that the rc.firewall.local file is just now inittiating or something, I have no idea how the rc.firewall.local file works..
Is there any other way to save the iptables other than the IPTABLES-SAVE COMMAND?
I'm lost.... and my time is running dry too :(
The IPTables-Save command would probably be the answer however in IPCop, the developers did not included this function, I have tried saving it for the past 10 hours and no luck... I am sitting here at my office now on Saturday monring battling with this again....
When I append strings to the customforward chain in IPtables and I run IPtables --list I can physically see my changes and everything works perfectly until next reboot. It would seem that the rc.firewall.local file is just now inittiating or something, I have no idea how the rc.firewall.local file works..
Is there any other way to save the iptables other than the IPTABLES-SAVE COMMAND?
I'm lost.... and my time is running dry too :(
ASKER
I just noticed that while booting up on the IPCop machine, I looked to see what's happening on the screen at the time... When it gets to the section that says running /etc/rc.d/rc.firewall.loca
I'm lost.............
I'm lost.............
Okay, we're out of iptables territory and into linux startup script territory. Firstly, confirm /etc/rc.d/rc.firewall.loca
ASKER
Hi thanks,
Where do i check if it is spelt correctly? in the directory or somewhere else?
How do I "copy" the contents of the file to paste here?
Thanks :)
Where do i check if it is spelt correctly? in the directory or somewhere else?
How do I "copy" the contents of the file to paste here?
Thanks :)
ASKER
Okay, we seem to be getting somewhere.....
Here's what I did:
I rebooted the machine and then ran "iptables --list" and the Customforward Chain was emtpy. I then typed "sh /etc/rc.d/rc.firewall.loca
So, that then means that for some reason when the machine is booting up, it is not firing up that rc.firewall.local script.
Where to now? Is there some sort of boot up script that i can check to see why it is not running?
Regards
Lynton
Here's what I did:
I rebooted the machine and then ran "iptables --list" and the Customforward Chain was emtpy. I then typed "sh /etc/rc.d/rc.firewall.loca
So, that then means that for some reason when the machine is booting up, it is not firing up that rc.firewall.local script.
Where to now? Is there some sort of boot up script that i can check to see why it is not running?
Regards
Lynton
When you said you got "something on the lines of no such file or directory..." on bootup - what is the full and complete message? your problem almost certainly lies there.
ASKER
When booting it runs through all that stuff so quickly, I can't see it that well, and I don't know if one can pause at that exact time...
What I did a few moments ago is took another pc and installed IPCop onto it, then simply went into the rc.firewall.local file and added my entries, then rebooted and went directly to the iptables --list screen and all my settings were there in the customforward chain.. however it is just not the case on my "live" machine. So the problem has definately been identified that the rc.firewall.local file on my machine is not starting up properly when booting up... Should I maybe copy the rc.firewall.local file from the other test machine to my live machine and test that? If so how do I copy a file from one pc to another in IPCop/Linux???
Thanks
What I did a few moments ago is took another pc and installed IPCop onto it, then simply went into the rc.firewall.local file and added my entries, then rebooted and went directly to the iptables --list screen and all my settings were there in the customforward chain.. however it is just not the case on my "live" machine. So the problem has definately been identified that the rc.firewall.local file on my machine is not starting up properly when booting up... Should I maybe copy the rc.firewall.local file from the other test machine to my live machine and test that? If so how do I copy a file from one pc to another in IPCop/Linux???
Thanks
scp is the method to copy.. if you are a wndows man google winscp. But I'd be more inclined to see why your live ipcop has an issue - cconfirm /etc/rc.d/rc.firewall.loca
ASKER
Hi,
I have checked that the file is named correctly, it is /etc/rc.d/rc.firewall.loca
I have also ran chmod +x /etc/rc.d/rc.firewall.loca
then I ran chmod 775 /etc/rc.d/rc.firewall.loca
Can you be a bit more specific about the executable part and the permissions part.
We know the file works cause I ran it the other day by typing "sh /etc/rc.d/rc.firewall.loca
Is there maybe another file that requests this firewall.local file to run???
I have checked that the file is named correctly, it is /etc/rc.d/rc.firewall.loca
I have also ran chmod +x /etc/rc.d/rc.firewall.loca
then I ran chmod 775 /etc/rc.d/rc.firewall.loca
Can you be a bit more specific about the executable part and the permissions part.
We know the file works cause I ran it the other day by typing "sh /etc/rc.d/rc.firewall.loca
Is there maybe another file that requests this firewall.local file to run???
ASKER
Hi, what I have just done now is: I read on a website about all the files that run when the system boots, so I went into the /etc/rc.d/rc.local file and I added the command "sh /etc/rc.d/rc.firewall.loca
and that seems to have sorted out my problems, howeve I don't beleive this is the correct way to solve this problem.
There are some other things that are listed in the rc.firewall.local file other than my forward custom chains. These other things did not load either until I have now "forced" the script to run...
Again, this means that when the system boots up, it is not firing up anything inside the rc.firewall.local file.
Any thoughts?
and that seems to have sorted out my problems, howeve I don't beleive this is the correct way to solve this problem.
There are some other things that are listed in the rc.firewall.local file other than my forward custom chains. These other things did not load either until I have now "forced" the script to run...
Again, this means that when the system boots up, it is not firing up anything inside the rc.firewall.local file.
Any thoughts?
ASKER
Hi Novensiles,
I think I found the problem.... at the top of the file rc.firewall.local:
" #!/bin/sh " was " #!/bin/s " - it was missing the "h" at the end..... VERY WIERD. I must have deleted the "h" some how when I was still figuring out how th vi editor works.... sorry for that, however it has now uncovered another problem... When I run iptables --list, underneath the CUSTOMFORWARD CHAIN, all my entries are now duplicated (only the customforward chain), what could cause this?
I have since decided to remove all my lines from the rc.firewall.local file and I have put them straight into the rc.local file and now everything seems to be fine. Is there a problem with having these lines directly in the rc.local file???
Kindest regards
Lynton
I think I found the problem.... at the top of the file rc.firewall.local:
" #!/bin/sh " was " #!/bin/s " - it was missing the "h" at the end..... VERY WIERD. I must have deleted the "h" some how when I was still figuring out how th vi editor works.... sorry for that, however it has now uncovered another problem... When I run iptables --list, underneath the CUSTOMFORWARD CHAIN, all my entries are now duplicated (only the customforward chain), what could cause this?
I have since decided to remove all my lines from the rc.firewall.local file and I have put them straight into the rc.local file and now everything seems to be fine. Is there a problem with having these lines directly in the rc.local file???
Kindest regards
Lynton
sounds like some brokenness has been going on :) Nothing wrong with putting the fw rules in rc.local, it's just a tad messy. But if it works for you, who cares about that?
Does x.x.x.x send email properly?
Why not write specific allow rules for both servers you want to give smtp access to, then deny all smtp afterwards.
That said, in isolation your rules look like they should work. Are you creating the CUSTOMFORWARD chain earlier in the rules?
'/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.
If its not that, provide more details about which rlules work and which don't, ie. do the log rules get triggered?