• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1417
  • Last Modified:

IPCop block port only port 25

Hello Experts

I'm after some help in blocking only port 25 from all computers on my network except a few computers & mail servers but allowing all other traffic.

i've tried using BlockOutTraffic addon, but it blocks all traffic and i have to allow what i want through but thats not what i;m after.  I want to allow all traffic expect port 25 from some computers.

So i've found this on the net. It's in lots of places including experts exchange.  But i can't get it to work.

vi /etc/rc.d/rc.firewall.local
         ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT

Replace x.x.x.x with an extra ip that you want to allow smtp access for (and repeat for any others). This may be for something that your main mail server does not relay for. Replace y.y.y.y with the ip of your mail server.

firstly i don't understand the x.x.x.x & y.y.y.y the last two entries say REJECT so if i add my mail server ip there wont it REJECT.

anyhow.  Below is my rc.firewall.local file that i have edited but it doesn't work.

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 465 -j LOG --log-prefix "SMTP-SSL"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.110 --dport 465 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j REJECT
    #Added for Extra Graphs start - BEGIN
    /usr/local/bin/xtgctrl.pl -s
    #Added for Extra Graphs start - END
        ;;
  stop)
        ## add your 'stop' rules here
    #Added for Extra Graphs stop - BEGIN
    /usr/local/bin/xtgctrl.pl -e
    #Added for Extra Graphs stop - END
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac


I'm after to block port 25 from all computers in my network apart from the ip list below.
If someone could modify the script to do this it would be GREAT !!!!

IPs
Computers
192.168.1.77
192.168.1.80
192.168.1.98
Mail Servers
192.168.1.200
192.168.1.110

Thanks fpr any help.

Regards,
0
Up2DateTech
Asked:
Up2DateTech
  • 3
  • 2
1 Solution
 
NopiusCommented:
Hi.

Your script seems correct.

> So i've found this on the net. It's in lots of places including experts exchange.  But i can't get it to work.

What exactly is not working?

> firstly i don't understand the x.x.x.x & y.y.y.y the last two entries say REJECT so if i add my mail server ip there wont it REJECT.

That's correct. there is ! y.y.y.y, that means reject all but y.y.y.y, one problem - you can't define 2 mail servers in such a way, because second will always be rejected, so in your case you should modify:
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.110 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j REJECT

Next question, is 'eth0' your internal LAN interface (GREEN ZONE)? It should be internal.
Next, make your /etc/rc.d/rc.firewall.local executable, I mean: chmod +x /etc/rc.d/rc.firewall.local
Do you see your chain after reboot? After reboot please log in, run 'iptables-save' and make sure that your changes are activated.

If you have some problems, run 'iptables-save' and 'ifconfig -a' and post output here.


0
 
Up2DateTechAuthor Commented:
Thanks for reply I'll do this in 4hours at close of business
0
 
Up2DateTechAuthor Commented:
i haven't changed the script yet.  But i tested 'iptables-save'  i get the error
-bash: iptables-save: command not found
0
 
Up2DateTechAuthor Commented:
Great help thanks all working

below is my script

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.110 --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.98 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.80 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.77 --dport 465 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s 192.168.1.110 --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! 192.168.1.200 --dport 465 -j REJECT
    #Added for Extra Graphs start - BEGIN
    /usr/local/bin/xtgctrl.pl -s
    #Added for Extra Graphs start - END
        ;;
  stop)
        ## add your 'stop' rules here
    #Added for Extra Graphs stop - BEGIN
    /usr/local/bin/xtgctrl.pl -e
    #Added for Extra Graphs stop - END
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac
0
 
NopiusCommented:
there should be 'iptables -L -v'
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now