IPCop block port only port 25

Hello Experts

I'm after some help in blocking only port 25 from all computers on my network except a few computers & mail servers but allowing all other traffic.

i've tried using BlockOutTraffic addon, but it blocks all traffic and i have to allow what i want through but thats not what i;m after.  I want to allow all traffic expect port 25 from some computers.

So i've found this on the net. It's in lots of places including experts exchange.  But i can't get it to work.

vi /etc/rc.d/rc.firewall.local
         ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT

Replace x.x.x.x with an extra ip that you want to allow smtp access for (and repeat for any others). This may be for something that your main mail server does not relay for. Replace y.y.y.y with the ip of your mail server.

firstly i don't understand the x.x.x.x & y.y.y.y the last two entries say REJECT so if i add my mail server ip there wont it REJECT.

anyhow.  Below is my rc.firewall.local file that i have edited but it doesn't work.

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 465 -j LOG --log-prefix "SMTP-SSL"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 465 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j REJECT
    #Added for Extra Graphs start - BEGIN
    /usr/local/bin/xtgctrl.pl -s
    #Added for Extra Graphs start - END
        ;;
  stop)
        ## add your 'stop' rules here
    #Added for Extra Graphs stop - BEGIN
    /usr/local/bin/xtgctrl.pl -e
    #Added for Extra Graphs stop - END
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac


I'm after to block port 25 from all computers in my network apart from the ip list below.
If someone could modify the script to do this it would be GREAT !!!!

IPs
Computers
192.168.1.77
192.168.1.80
192.168.1.98
Mail Servers
192.168.1.200
192.168.1.110

Thanks fpr any help.

Regards,
Up2DateTechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NopiusCommented:
Hi.

Your script seems correct.

> So i've found this on the net. It's in lots of places including experts exchange.  But i can't get it to work.

What exactly is not working?

> firstly i don't understand the x.x.x.x & y.y.y.y the last two entries say REJECT so if i add my mail server ip there wont it REJECT.

That's correct. there is ! y.y.y.y, that means reject all but y.y.y.y, one problem - you can't define 2 mail servers in such a way, because second will always be rejected, so in your case you should modify:
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.110 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j REJECT

Next question, is 'eth0' your internal LAN interface (GREEN ZONE)? It should be internal.
Next, make your /etc/rc.d/rc.firewall.local executable, I mean: chmod +x /etc/rc.d/rc.firewall.local
Do you see your chain after reboot? After reboot please log in, run 'iptables-save' and make sure that your changes are activated.

If you have some problems, run 'iptables-save' and 'ifconfig -a' and post output here.


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Up2DateTechAuthor Commented:
Thanks for reply I'll do this in 4hours at close of business
0
Up2DateTechAuthor Commented:
i haven't changed the script yet.  But i tested 'iptables-save'  i get the error
-bash: iptables-save: command not found
0
Up2DateTechAuthor Commented:
Great help thanks all working

below is my script

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.110 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.110 --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j REJECT
    #Added for Extra Graphs start - BEGIN
    /usr/local/bin/xtgctrl.pl -s
    #Added for Extra Graphs start - END
        ;;
  stop)
        ## add your 'stop' rules here
    #Added for Extra Graphs stop - BEGIN
    /usr/local/bin/xtgctrl.pl -e
    #Added for Extra Graphs stop - END
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac
0
NopiusCommented:
there should be 'iptables -L -v'
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.