Re: SMTP external

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thursday 02 January 2003 06:44 pm, Athan wrote:

> 	iptables -A INPUT -m state --state NEW,ESTABLISHED -p tcp
> 	--sport 25
> 	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -p tcp
> 	--dport 25
>
> Untested, off the top of my head, but should do the job.
>
> -Ath

Umm, it might help to have a target... adding "-j ACCEPT" perhaps?  :^) 
Also, since the intent is to let outside clients connect TO port 25, the 
INPUT rule should use --dport, while the OUTPUT should use --sport.  Of 
course, if a looser OUTPUT rule already exists (like EST/REL with no 
protocol specified) then the OUTPUT rule would be redundant anyway.  
(but would also be a sign that the firewall /could/ be tighter)

 If logging of 'all' access is desired, at least for a test period, I'd 
suggest logging ONLY state NEW connections in INPUT, to keep from being 
overwhelmed.  Unless something goes seriously wrong, or you have 
unsecure rules elsewhere, you will still log each and every IP that 
tries to connect to port 25, but only once per attempt, instead of once 
for each packet in 3mb worth of family christmas pictures or such.  (and 
lord help your logfile if they send it to several family members 
individually... :^)  It'd probably be a good idea to log port 25 DROPs 
as well, so you can see if anyone has been poking around.

For individual IP control just redirect all NEW state dport 25 from INPUT 
to a custom chain that has an ACCEPT rule for each client IP, and a DROP 
at the end.  Obviously this would require either that every client has a 
static IP, or that you allow ranges of IP's which their dynamic IP is 
assigned from, and the latter isn't a good idea.  Since you're unlikely 
to be lucky enough that every client is (and would remain) on a static 
IP, this probably is pointless.

Finally, and probably most important, go to http://sendmail.net 
(presuming that's what you'd be running) and download and install latest 
releases, and read through and follow all their security instructions.  
Starting with version 8.10 (8.12 is current release) sendmail supports 
SMTP AUTH - use it.

j
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux