Solved

How to Block Port 25 on entire LAN except my Mail-Server using IPCop v 1.4.21

Posted on 2008-10-24
18
1,158 Views
Last Modified: 2012-05-05
Hi,

I have IPCop v1.4.21 and I am trying to block all port 25 traffic on my green interface except for my Mail-Servers IP Address. I have looked up a few site on the web so far and I have added the following into my
vi /etc/rc.d/rc.firewall.local file

   ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT

x.x.x.x being the IP address I would like to ALLOW access and y.y.y.y being my MAIL-SERVER....

This however doesn't seem to be working...
Can anyone help me? What should I do next? How do I ensure that these changes I have made to this file are actually initiating on boot?

Thank in advacne
0
Comment
Question by:Lynton Jennings
  • 12
  • 6
18 Comments
 

Accepted Solution

by:
Lynton Jennings earned 0 total points
ID: 22795530
I have managed to sort this out on my own, Please ignore this question....

Thanks.
Regards,
Lynton Jennings
0
 
LVL 1

Expert Comment

by:Novensiles
ID: 22795725
What exactly is not working? You seem to be doing two sets of rules - firstly to allow smtp out from x.x.x.x, then later deny smtp from everyone except y.y.y.y.

Does x.x.x.x send email properly?

Why not write specific allow rules for both servers you want to give smtp access to, then deny all smtp afterwards.

That said, in isolation your rules look like they should work. Are you creating the CUSTOMFORWARD chain earlier in the rules?

'/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.

If its not that, provide more details about which rlules work and which don't, ie. do the log rules get triggered?

0
 

Author Comment

by:Lynton Jennings
ID: 22795879
I am trying to only allow port 25 access to my MAIL-SERVER and ONE other PC on my LAN.....

I put that code into /etc/rc.d/rc.firewall.local and rebooted and it does nothing....

I then came accross a website explaining how to use IPTABLES..... So now I have added all the lines I need directly into IPTABLES... This sorts out all my problems, however when ever I reboot the IPCop machine, it flushes the IPTABLES back to it's original settings and all my CUSTOMFORWARDS are removed...

How do I save all my CUSTOMFORWARD entries so that when the machine reboots it keeps them????

Regards
Lynton
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:Lynton Jennings
ID: 22795893
AH!!!! I am not doing the following as you suggested:
  '/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.

I'll give that a quick bash and see.... I am extremely new to this. :)

Thank you!
0
 

Author Comment

by:Lynton Jennings
ID: 22796015
I edited the file using vi. Added the '/sbin/iptables -N CUSTOMFORWARD' before thr rule refernced the CUSTOMFORWARD chain. saved it and rebooted the machine... then tested one of the other pc's on the lan but it still has access to port 25....

I then ran IPTABLES --LIST and there were no rules defined under the customforward section... what am I doing wrong?

0
 
LVL 1

Expert Comment

by:Novensiles
ID: 22801074
Does it  empty /etc/rc.d/rc.firewall.local on each reboot, or does it simply not run the script?  

iIf you insert the rules into a running IPTables and they work, run iptables-save to save a script of your active rules. save it as rc.firewall and see how you go.
0
 

Author Comment

by:Lynton Jennings
ID: 22802250
It doesn't empty the rc.firewall.local file, on reboot it would seem that the scripts (as pasted in original message above)  just doesn't run. (after a reboot I can edit the rc.firewall.local file and all my goodies are in there - but just doesn't seem to take effect)

The IPTables-Save command would probably be the answer however in IPCop, the developers did not included this function, I have tried saving it for the past 10 hours and no luck... I am sitting here at my office now on Saturday monring battling with this again....

When I  append strings to the customforward chain in IPtables and I run IPtables --list I can physically see my changes and everything works perfectly until next reboot. It would seem that the rc.firewall.local file is just now inittiating or something, I have no idea how the rc.firewall.local file works..

Is there any other way to save the iptables other than the IPTABLES-SAVE COMMAND?

I'm lost.... and my time is running dry too :(
0
 

Author Comment

by:Lynton Jennings
ID: 22802394
I just noticed that while booting up on the IPCop machine, I looked to see what's happening on the screen at the time... When it gets to the section that says running /etc/rc.d/rc.firewall.local the next line says something on the lines of no such file or directory.. could this have anything to do with the problem? A little further down the screen it then started by what would seem the WLAN connection and also had a no such file or directory message...

I'm lost.............
0
 
LVL 1

Expert Comment

by:Novensiles
ID: 22805981
Okay, we're out of iptables territory and into linux startup script territory. Firstly, confirm /etc/rc.d/rc.firewall.local is spelt correctly and in the right place. Once booted up, try to run it manually ('sh /etc/rc.d/rc.firewall.local') and see if that gives any errors. If it does post your entire rc.firewall.local script, we'll see if it has a typo or other error.
0
 

Author Comment

by:Lynton Jennings
ID: 22807749
Hi thanks,

Where do i check if it is spelt correctly? in the directory or somewhere else?
How do I "copy" the contents of the file to paste here?

Thanks :)
0
 

Author Comment

by:Lynton Jennings
ID: 22807791
Okay, we seem to be getting somewhere.....

Here's what I did:
I rebooted the machine and then ran "iptables --list" and the Customforward Chain was emtpy. I then typed "sh /etc/rc.d/rc.firewall.local start" as you instructed me to test, and then ran "iptables --list" again and "poof" the customforward chain contains the lines I need.....

So, that then means that for some reason when the machine is booting up, it is not firing up that rc.firewall.local script.

Where to now? Is there some sort of boot up script that i can check to see why it is not running?

Regards
Lynton
0
 
LVL 1

Expert Comment

by:Novensiles
ID: 22808711
When you said you got "something on the lines of no such file or directory..." on bootup - what is the full and complete message? your problem almost certainly lies there.
0
 

Author Comment

by:Lynton Jennings
ID: 22810528
When booting it runs through all that stuff so quickly, I can't see it that well, and I don't know if one can pause at that exact time...

What I did a few moments ago is took another pc and installed IPCop onto it, then simply went into the rc.firewall.local file and added my entries, then rebooted and went directly to the iptables --list screen and all my settings were there in the customforward chain.. however it is just not the case on my "live" machine. So the problem has definately been identified that the rc.firewall.local file on my machine is not starting up properly when booting up... Should I maybe copy the rc.firewall.local file from the other test machine to my live machine and test that? If so how do I copy a file from one pc to another in IPCop/Linux???

Thanks
0
 
LVL 1

Expert Comment

by:Novensiles
ID: 22810767
scp is the method to copy.. if you are a wndows man google winscp. But I'd be more inclined to see why your live ipcop has an issue - cconfirm /etc/rc.d/rc.firewall.local is named correctly, is executable (chmod +x /etc/rc.d/rc.firewall.local ) and has the right permissions (chmod 775 /etc/rc.d/rc.firewall.local )
0
 

Author Comment

by:Lynton Jennings
ID: 22811293
Hi,

I have checked that the file is named correctly, it is /etc/rc.d/rc.firewall.local

I have also ran chmod +x /etc/rc.d/rc.firewall.local and it just returned to the next line,
then I ran chmod 775 /etc/rc.d/rc.firewall.local and it did the same thing!

Can you be a bit more specific about the executable part and the permissions part.
We know the file works cause I ran it the other day by typing "sh /etc/rc.d/rc.firewall.local start"

Is there maybe another file that requests this firewall.local file to run???
0
 

Author Comment

by:Lynton Jennings
ID: 22811619
Hi, what I have just done now is: I read on a website about all the files that run when the system boots, so I went into the /etc/rc.d/rc.local file and I added the command "sh /etc/rc.d/rc.firewall.local start"

and that seems to have sorted out my problems, howeve I don't beleive this is the correct way to solve this problem.

There are some other things that are listed in the rc.firewall.local file other than my forward custom chains. These other things did not load either until I have now "forced" the script to run...
Again, this means that when the system boots up, it is not firing up anything inside the rc.firewall.local file.

Any thoughts?
0
 

Author Comment

by:Lynton Jennings
ID: 22813278
Hi Novensiles,

I think I found the problem.... at the top of the file rc.firewall.local:
" #!/bin/sh " was " #!/bin/s " - it was missing the "h" at the end..... VERY WIERD. I must have deleted the "h" some how when I was still figuring out how th vi editor works.... sorry for that, however it has now uncovered another problem... When I run iptables --list, underneath the CUSTOMFORWARD CHAIN, all my entries are now duplicated (only the customforward chain), what could cause this?

I have since decided to remove all my lines from the rc.firewall.local file and I have put them straight into the rc.local file and now everything seems to be fine. Is there a problem with having these lines directly in the rc.local file???

Kindest regards
Lynton
0
 
LVL 1

Expert Comment

by:Novensiles
ID: 22816197
sounds like some brokenness has been going on :) Nothing wrong with putting the fw rules in rc.local, it's just a tad messy. But if it works for you, who cares about that?
0

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SRX240 SYSLOG Setting 6 129
Xymon customize http timeout 2 103
how to enable SSH in Nexus OS 1 28
Windows ADHow to restrict port 6881 bit Torrent 3 22
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question