• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1227
  • Last Modified:

Block outbound port 25 traffic on Netopia Model 4522 T1 Router

Hi everybody,

We have an Exchange Server 2000 and were on a few blacklists.  To prevent this from happening again, I would like to block outbound port 25 traffic from the workstations but obviously I would still like to be able to send out mail through our exchange server.  We're using a Linksys Netopia Model 4522 T1 Router at this time. How we can configure it to do this? Filters?

Thanks in advance!
0
Tango01
Asked:
Tango01
  • 11
  • 6
  • 4
2 Solutions
 
JDLoanerCommented:
Configure an IP access list to block 25 outbound by all except the static IP of your EX Server.
0
 
Tango01Author Commented:
Thanks, JDLoaner. Do you know how to do it in the Netopia Model 4522 specifically?

Thanks, again.
0
 
Andrew DavisManagerCommented:
RTFM

you need to create a rule to allow the exchange server,
then create a rule to block all machines.
the exchange rule must be listed before the blocking rule otherwise the exchange will be blocked as well.

Creating a Filter Rule for Exchange
From the Main Menu:
---> Quick Menus...

---> IP Filter Sets...

---> Display/Change IP Filter Set...

---> Basic Firewall...

---> Add Input Filter to Filter Set...

Hit the "Enter" or "Return" key after each entry to save the change.

"Leave Enabled set to Yes
"(Tab) Forward to set to Yes
"leave Source IP Address: set as {ip of exchange}
"leave Source IP Mask: set as 255.255.255.255
"change Dest. IP Address: set as 172.20.10.216 NOTE: This address is used here as an example only. Substitute the actual IP address assigned by your ISP for forwading, if not using forwarding then set to 0.0.0.0.
"change Dest. IP Mask: set as 255.255.255.255   NOTE: If not using forwarding then set to 0.0.0.0
"Protocol Type: (type in) TCP
"leave Source Port Compare... set as No Compare
"leave Source Port ID... set as 0
"change Destination Port Compare... to set to Equal
"change Destination Port ID... to set to 25
"leave Established TCP Conns. Only: set to No
"(Enter) ADD THIS FILTER NOW
After creating this filter rule, you should move the rule from the bottom of the list to a position above the rules allowing TCP and UDP traffic above port 1023 to enter by default. After going back into the Basic Firewall, go to:

---> Move input filter...

Hit "Enter" and highlight the filter rule you've just created. Hit "Enter" again and use the "up arrow" key to move the filter rule up two spaces. Hit enter again to save this change. Repeat this process for subsequent filters.

You have now created a filter rule to allow telnet access to your Netopia Router when you activate the Basic Firewall on your internet connection profile. When you view the filter rules in the Display/Change Input Filter..., this one will appear as follows:

the do the same to block all others.

Cheers
from http://www.netopia.com/support/hardware/technotes/NQG_039.html
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Tango01Author Commented:
Thank you for your reply Andrew. However, help me to understand something: You said "Add Input Filter to Filter Set". Right? I expected "output" instead. Also, NAT is more to allow certain "incoming traffic" to the network rather than limiting the outgoing traffic. Right? which it's precisely what I am trying to accomplish by blocking port 25 (outbound traffic) for all the computers in the LAN, but the Exchange Server. I remember doing the same in other routers without seting rules in the NAT, but I'm in a different model right now. I would appreciate you feedback.

Thank you very much!
0
 
Tango01Author Commented:
Well, I set the filters in the router as your message said, and tried both ways input / output, but I still able to connect thru port 25 from any machine in the LAN. So, unfortunately it doesn't work for me yet. Any other thoughts? What may I be doing wrong?

Thanks a bunch!
0
 
JDLoanerCommented:
How are you testing your connection to Port 25 outbound?  What are you connecting to and with what?
0
 
Tango01Author Commented:
Hi! JDLoaner. I am testing the connection with a simple telnet mail.nameserver.com 25. If there were any traffic restriction, then only the Exchange should be able to connect and no any other machine/IP.
Now, I am considering installing a router in between the T1 router and the LAN, so I can handle better (easier interface) the traffic. Do you know any router that can handle the LAN coming out of the T1? A regular Linksys perhaps? Thanks!
0
 
JDLoanerCommented:
I believe that the main problem lies in the NAT. When a client on your LAN makes an outbound request to a host on the Internet, it receives a NAT'd address on the way out thus giving it the same IP for most if not all(depending on setup) hosts on the network.

You should be able accomplish this with the current setup. I am not familiar with your device but any router should be able to handle this. Under the IP Filter Sets is there a way to define an OUTBOUND set, rather than the INBOUND set listed above?

If you have the budget to put another device inline with your current setup, you might just want to look at something a little more enterprise-strength to consolidate them and have just one device be able to handle everything you are doing among any other additional needs.

However, if you are looking to keep costs low and are convinced it would be needed, or at least nicer to have another device to help mediate traffic my suggestion would be to buy a Linksys WRT54GL Router.  This is a very basic router made by Linksys, however the L designation on the end means it's Linux based and a very good candidate for upgrading the firmware to DD-WRT(I use this in many places in my home).  This firmware upgrade takes that $50 router and makes it about a $500 router with the functionality enabled.

That being said, I still think we can accomplish at least what you originally asked for with your current device. So please take a look at the IP Filter Outbound list section and let me know what you see.
0
 
Tango01Author Commented:
Basically, I do have capabilities of setting outbound filters. Actually, I've found a tech note from Netopia (see attached). What happens is that despite doing what they said, still doesn't work as expected. I'll try to contact them in the morning PST, since their chat room is closed at this time. I'll keep you posted. Thanks again! JDLoaner.
https---broadband.custhelp.pdf
0
 
Andrew DavisManagerCommented:
remember if there is a default allow all then your block must be listed above it.
0
 
JDLoanerCommented:
I read through that paper, looks good to me so I am surprised it's not working.  Would you mind posting your IP Filter Rules (as on pg 5) for me to look at?
0
 
Tango01Author Commented:
Sure. I'll be back on that. I believe that's the problem. It looks like whoever was the previous guy (always blaming the previous guy) used in a wrong way the IP block: the IP address is below the gateway and it works (??) I've verified that with Megapath. Thanks. I'll be back soon,
0
 
Tango01Author Commented:
No good by now. Something is not right with the rules (they are in perfect sequence). Port 25 gets blocked for exchange as well. Same with incoming for 110 regardles the input rules.
0
 
Tango01Author Commented:
OK. I found one of the problems. Today I was able to visit the site, and between the Netopia and the LAN, there is a Windows VPN server. Therefore, no matter what I do in the router, for him all the addrsses translate in the one coming from the VPN. So, there is no way to know who is trnasmitting if it is the Exchange or a PC. I think now I need to block the traffic by using routing & Remote Access and NAT/Basic Firewall in W2K3. Does anybody has experience on blocking/allowing port 25 in this way?
Thanks again! Folks.
0
 
JDLoanerCommented:
Ahh, yeah I thought it screamed NAT problem..

Unfortunately you cannot block outgoing connections with the Firewall in 2K3, only in 2008. However, I wouldn't consider this a worthwhile investment just for that feature as there are potentially still other ways to accomplish this.
0
 
JDLoanerCommented:
How many machines exactly are you looking to block?  If it is a handful or two what I can do is post a windows IPSec-Policy file which you could download and then import via a simple CLI command.  From there all you would have to do is go into an MMC Snap In and enable the policy.

Depending on your network and access level, you could probably enable this policy on all network hosts(one by one) through a single machine via remote MMC connection.

Please let me know if you would like me to post this for you.

(If you have a network controlled by AD, this could also be arranged by GPO. However, that would be somewhat outside the scope of my comfort level having you push new Group Policies out to your entire AD schema)
0
 
Tango01Author Commented:
We are looking at  25/30 workstations more or less, 2 DC W2K with AD, 1 Exchange W2K, 1 application server W2K, 1 application server W2K3, and 1 VPN W2K3. What do you think? GPO or IPSec-Policy?
Thank you! JDLoaner
0
 
Andrew DavisManagerCommented:
you would do it with both. create the ipsec and apply it via GPO see http://support.microsoft.com/kb/813878
0
 
Tango01Author Commented:
I'll give them a try, and let you know. Thank you! Andrew.
0
 
Andrew DavisManagerCommented:
How did you go?
0
 
Tango01Author Commented:
Hi! Andrew, They were close doing inventory. I'll be able to do it before the end of this weelk. Thank you for asking. I'll keep you posted.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 11
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now