Need help allowing smtp from specific addresses

ger87410 · 08-17-2006, 10:36 AM

Redhat 9.0. (Upgrading is not an option.) T1 connected via wan0 and eth1 connects internal network.
Relatively new to firewalls.
We have a firewall script setup where we're blocking all connection from overseas.
Here's the script:
***********************************************************************
#!/bin/bash

# allow loopback to/from bba1
# allow bba1|LAN->Net DNS (udp 53), PASV FTP (tcp 21, 1024+), telnet
# allow HTTP (tcp 80), HTTPS (tcp 443) from LAN,Net
# allow SSH (tcp 22) from anywhere
# allow SMTP (tcp 25) to/from Net
# allow POP3 (tcp 110) from LAN

# blackship tracert to public IP gets timeout on 1st hop (bba1)
# but otherwise goes through for higher hop counts

iptables -F

iptables -X AVCIN
iptables -X AVCOUT
iptables -X AVCFWD

iptables -N AVCIN
iptables -N AVCOUT
iptables -N AVCFWD

#iptables -A AVCIN -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A AVCFWD -p tcp ! --syn -m state --state NEW -j DROP

iptables -A AVCOUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A AVCIN -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A AVCFWD -p icmp --icmp-type echo-reply -j ACCEPT

exec 3< /avc/data/badIps.txt
while read LINE <&3 ; do
LINE=${LINE#* }
LINE=${LINE% *}
iptables -A AVCIN -s $LINE -j REJECT
done

/*We're taking the ip addresses out of a text files here and assigning the value to the variable $LINE*/
exec 3< /avc/data/goodIps.txt
while read LINE <&3 ; do
LINE=${LINE#* }
LINE=${LINE% *}
# iptables -A AVCIN -s $LINE -j ACCEPT
iptables -A AVCIN -m multiport -p tcp -s $LINE --dport smtp,www,ftp,ftp-data,irc -j ACCEPT
iptables -A AVCIN -m multiport -p udp -s $LINE --dport smtp,www,ftp,ftp-data,irc -j ACCEPT
done

iptables -A AVCIN -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A AVCIN -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A AVCOUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCFWD -p udp -m state --state ESTABLISHED -j ACCEPT
#iptables -A AVCFWD -i eth0 -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCFWD -s 192.168.1.0/24 -p udp -m state --state NEW,ESTABLISHED -j
ACCEPT

# for ikano radius - eliminate the tcp ?
iptables -A AVCIN -p tcp -s 216.126.204.0/24 --dport 1645:1646 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p tcp -s 165.154.11.0/24 --dport 1645:1646 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p udp -s 216.126.204.0/24 --dport 1645:1646 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A AVCIN -p udp -s 165.154.11.0/24 --dport 1645:1646 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A AVCIN -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A AVCOUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCFWD -p tcp -m state --state ESTABLISHED -j ACCEPT
#iptables -A AVCFWD -i eth0 -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A AVCFWD -s 192.168.1.0/24 -p tcp -m state --state NEW,ESTABLISHED -j
ACCEPT

iptables -A AVCOUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A AVCFWD -i eth0 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A AVCFWD -s 192.168.1.0/24 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A AVCIN -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A AVCOUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A AVCFWD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A AVCFWD -i eth0 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A AVCFWD -s 192.168.1.0/24 -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A AVCIN -s 192.168.1.0/24 -j ACCEPT

#iptables -A AVCIN -i lo -j ACCEPT
#iptables -A AVCOUT -o lo -j ACCEPT
iptables -A AVCIN -s 127.0.0.0/8 -j ACCEPT
iptables -A AVCOUT -d 127.0.0.0/8 -j ACCEPT

#iptables -A AVCIN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A AVCIN -j DROP
iptables -A AVCOUT -j DROP
iptables -A AVCFWD -j DROP

iptables -I INPUT 1 -j AVCIN
iptables -I OUTPUT 1 -j AVCOUT
iptables -I FORWARD 1 -j AVCFWD

# this net addr trans rule is added in /etc/wanpipe/scripts/wanpipe1-wan0-start
#iptables -t nat -A POSTROUTING -j SNAT --source 192.168.1.0/24 --out-interface
wan0 --to-source 216.161.43.122

************************************************************************

We love this because it cuts our spam down to almost nill, but some of our customers have email account where the server is overseas. We're also blocking them (on accident).
Running that script will result in me not being able to `telnet mx01.perfora.net 25` (connection times out). As soon as I take out the part where it blocks the overseas ips, I can `telnet mx01.perfora.net 25` successfully.
How do I make it so that we can accept smtp connections from the addresses in goodIps.txt?
Thanks.
Gerald

w3bd3vil · 08-18-2006, 03:43 AM

this might solve the problem.
iptables -A AVCOUT -p tcp --dport 25 -s ! mx01.perfora.net -m state --state NEW,ESTABLISHED -j ACCEPT