Solved

How to Block Port 25 on entire LAN except my Mail-Server using IPCop v 1.4.21

Posted on 2008-10-24
18
1,148 Views
Last Modified: 2012-05-05
Hi,

I have IPCop v1.4.21 and I am trying to block all port 25 traffic on my green interface except for my Mail-Servers IP Address. I have looked up a few site on the web so far and I have added the following into my
vi /etc/rc.d/rc.firewall.local file

   ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT

x.x.x.x being the IP address I would like to ALLOW access and y.y.y.y being my MAIL-SERVER....

This however doesn't seem to be working...
Can anyone help me? What should I do next? How do I ensure that these changes I have made to this file are actually initiating on boot?

Thank in advacne
0
Comment
Question by:LyntonJennings
  • 12
  • 6
18 Comments
 

Accepted Solution

by:
LyntonJennings earned 0 total points
Comment Utility
I have managed to sort this out on my own, Please ignore this question....

Thanks.
Regards,
Lynton Jennings
0
 
LVL 1

Expert Comment

by:Novensiles
Comment Utility
What exactly is not working? You seem to be doing two sets of rules - firstly to allow smtp out from x.x.x.x, then later deny smtp from everyone except y.y.y.y.

Does x.x.x.x send email properly?

Why not write specific allow rules for both servers you want to give smtp access to, then deny all smtp afterwards.

That said, in isolation your rules look like they should work. Are you creating the CUSTOMFORWARD chain earlier in the rules?

'/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.

If its not that, provide more details about which rlules work and which don't, ie. do the log rules get triggered?

0
 

Author Comment

by:LyntonJennings
Comment Utility
I am trying to only allow port 25 access to my MAIL-SERVER and ONE other PC on my LAN.....

I put that code into /etc/rc.d/rc.firewall.local and rebooted and it does nothing....

I then came accross a website explaining how to use IPTABLES..... So now I have added all the lines I need directly into IPTABLES... This sorts out all my problems, however when ever I reboot the IPCop machine, it flushes the IPTABLES back to it's original settings and all my CUSTOMFORWARDS are removed...

How do I save all my CUSTOMFORWARD entries so that when the machine reboots it keeps them????

Regards
Lynton
0
 

Author Comment

by:LyntonJennings
Comment Utility
AH!!!! I am not doing the following as you suggested:
  '/sbin/iptables -N CUSTOMFORWARD' before any rule refernces the CUSTOMFORWARD chain.

I'll give that a quick bash and see.... I am extremely new to this. :)

Thank you!
0
 

Author Comment

by:LyntonJennings
Comment Utility
I edited the file using vi. Added the '/sbin/iptables -N CUSTOMFORWARD' before thr rule refernced the CUSTOMFORWARD chain. saved it and rebooted the machine... then tested one of the other pc's on the lan but it still has access to port 25....

I then ran IPTABLES --LIST and there were no rules defined under the customforward section... what am I doing wrong?

0
 
LVL 1

Expert Comment

by:Novensiles
Comment Utility
Does it  empty /etc/rc.d/rc.firewall.local on each reboot, or does it simply not run the script?  

iIf you insert the rules into a running IPTables and they work, run iptables-save to save a script of your active rules. save it as rc.firewall and see how you go.
0
 

Author Comment

by:LyntonJennings
Comment Utility
It doesn't empty the rc.firewall.local file, on reboot it would seem that the scripts (as pasted in original message above)  just doesn't run. (after a reboot I can edit the rc.firewall.local file and all my goodies are in there - but just doesn't seem to take effect)

The IPTables-Save command would probably be the answer however in IPCop, the developers did not included this function, I have tried saving it for the past 10 hours and no luck... I am sitting here at my office now on Saturday monring battling with this again....

When I  append strings to the customforward chain in IPtables and I run IPtables --list I can physically see my changes and everything works perfectly until next reboot. It would seem that the rc.firewall.local file is just now inittiating or something, I have no idea how the rc.firewall.local file works..

Is there any other way to save the iptables other than the IPTABLES-SAVE COMMAND?

I'm lost.... and my time is running dry too :(
0
 

Author Comment

by:LyntonJennings
Comment Utility
I just noticed that while booting up on the IPCop machine, I looked to see what's happening on the screen at the time... When it gets to the section that says running /etc/rc.d/rc.firewall.local the next line says something on the lines of no such file or directory.. could this have anything to do with the problem? A little further down the screen it then started by what would seem the WLAN connection and also had a no such file or directory message...

I'm lost.............
0
 
LVL 1

Expert Comment

by:Novensiles
Comment Utility
Okay, we're out of iptables territory and into linux startup script territory. Firstly, confirm /etc/rc.d/rc.firewall.local is spelt correctly and in the right place. Once booted up, try to run it manually ('sh /etc/rc.d/rc.firewall.local') and see if that gives any errors. If it does post your entire rc.firewall.local script, we'll see if it has a typo or other error.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:LyntonJennings
Comment Utility
Hi thanks,

Where do i check if it is spelt correctly? in the directory or somewhere else?
How do I "copy" the contents of the file to paste here?

Thanks :)
0
 

Author Comment

by:LyntonJennings
Comment Utility
Okay, we seem to be getting somewhere.....

Here's what I did:
I rebooted the machine and then ran "iptables --list" and the Customforward Chain was emtpy. I then typed "sh /etc/rc.d/rc.firewall.local start" as you instructed me to test, and then ran "iptables --list" again and "poof" the customforward chain contains the lines I need.....

So, that then means that for some reason when the machine is booting up, it is not firing up that rc.firewall.local script.

Where to now? Is there some sort of boot up script that i can check to see why it is not running?

Regards
Lynton
0
 
LVL 1

Expert Comment

by:Novensiles
Comment Utility
When you said you got "something on the lines of no such file or directory..." on bootup - what is the full and complete message? your problem almost certainly lies there.
0
 

Author Comment

by:LyntonJennings
Comment Utility
When booting it runs through all that stuff so quickly, I can't see it that well, and I don't know if one can pause at that exact time...

What I did a few moments ago is took another pc and installed IPCop onto it, then simply went into the rc.firewall.local file and added my entries, then rebooted and went directly to the iptables --list screen and all my settings were there in the customforward chain.. however it is just not the case on my "live" machine. So the problem has definately been identified that the rc.firewall.local file on my machine is not starting up properly when booting up... Should I maybe copy the rc.firewall.local file from the other test machine to my live machine and test that? If so how do I copy a file from one pc to another in IPCop/Linux???

Thanks
0
 
LVL 1

Expert Comment

by:Novensiles
Comment Utility
scp is the method to copy.. if you are a wndows man google winscp. But I'd be more inclined to see why your live ipcop has an issue - cconfirm /etc/rc.d/rc.firewall.local is named correctly, is executable (chmod +x /etc/rc.d/rc.firewall.local ) and has the right permissions (chmod 775 /etc/rc.d/rc.firewall.local )
0
 

Author Comment

by:LyntonJennings
Comment Utility
Hi,

I have checked that the file is named correctly, it is /etc/rc.d/rc.firewall.local

I have also ran chmod +x /etc/rc.d/rc.firewall.local and it just returned to the next line,
then I ran chmod 775 /etc/rc.d/rc.firewall.local and it did the same thing!

Can you be a bit more specific about the executable part and the permissions part.
We know the file works cause I ran it the other day by typing "sh /etc/rc.d/rc.firewall.local start"

Is there maybe another file that requests this firewall.local file to run???
0
 

Author Comment

by:LyntonJennings
Comment Utility
Hi, what I have just done now is: I read on a website about all the files that run when the system boots, so I went into the /etc/rc.d/rc.local file and I added the command "sh /etc/rc.d/rc.firewall.local start"

and that seems to have sorted out my problems, howeve I don't beleive this is the correct way to solve this problem.

There are some other things that are listed in the rc.firewall.local file other than my forward custom chains. These other things did not load either until I have now "forced" the script to run...
Again, this means that when the system boots up, it is not firing up anything inside the rc.firewall.local file.

Any thoughts?
0
 

Author Comment

by:LyntonJennings
Comment Utility
Hi Novensiles,

I think I found the problem.... at the top of the file rc.firewall.local:
" #!/bin/sh " was " #!/bin/s " - it was missing the "h" at the end..... VERY WIERD. I must have deleted the "h" some how when I was still figuring out how th vi editor works.... sorry for that, however it has now uncovered another problem... When I run iptables --list, underneath the CUSTOMFORWARD CHAIN, all my entries are now duplicated (only the customforward chain), what could cause this?

I have since decided to remove all my lines from the rc.firewall.local file and I have put them straight into the rc.local file and now everything seems to be fine. Is there a problem with having these lines directly in the rc.local file???

Kindest regards
Lynton
0
 
LVL 1

Expert Comment

by:Novensiles
Comment Utility
sounds like some brokenness has been going on :) Nothing wrong with putting the fw rules in rc.local, it's just a tad messy. But if it works for you, who cares about that?
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Transparency shows that a company is the kind of business that it wants people to think it is.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now