LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Iptables question for only allow internal mail (https://www.linuxquestions.org/questions/linux-security-4/iptables-question-for-only-allow-internal-mail-642106/)

zazem 05-14-2008 07:18 AM
Iptables question for only allow internal mail
 
Hi all,

I am running Ubuntu 8.04 + postfix. and I want to block all email coming in and out of LAN network, but internal email is allowed.

My network structure is:

LAN--internal firewall--mail/ftp/web/DNS/DHCP server--external firewall--Internet

For easy testing, I asssume the ip range between 192.168.1.80-192.168.1.100 is external ip.

Here is the rule:

iptables -A INPUT -p TCP -m iprange --src-range 192.168.1.80-192.168.1.100 -m multiport --dports 25,100,143 -m state --state NEW -j DROP

iptables -A OUTPUT -p TCP -m iprange --src-range 192.168.1.80-192.168.1.100 -m multiport --dports 25,100,143 -m state --state NEW -j DROP

How I use log to test the rule? and is there any better way to test it?
Can someone to optimize the rule?

Very Appreciated.

acid_kewpie 05-14-2008 07:24 AM
it seems wholly illogical to use iptables to stop the result you are concerned with. you should surely either 1) configure the physical firewall with a standard permit policy to block it, or (or rather *and*) 2) configure postfix to only allow local domains and ip addresses to make access to the outside world never happen in the first place.

zazem 05-14-2008 07:39 AM
Quote:
Originally Posted by acid_kewpie (Post 3152829)
it seems wholly illogical to use iptables to stop the result you are concerned with. you should surely either 1) configure the physical firewall with a standard permit policy to block it, or (or rather *and*) 2) configure postfix to only allow local domains and ip addresses to make access to the outside world never happen in the first place.
Thanks acid_kewpie,

I am first time playing with firewall. but my task is to define the iptables rules that only allow internal email. Can you give me some clues how to define the policy?

Evan I can change to sendmail, what network structure is suitable for using iptables for block all incoming and outgoing emails.

Looking for your help again

Cheers

acid_kewpie 05-14-2008 07:49 AM
well you're not really clear on what the actual scenario is. you mention ports 25, 110 and 143, and postfix will only use the first, there'd be no use of pop3 or imap in your requirements i'd imagine.

I can see why you've tried to be so specific in that rule, but I'd advise against it as the real life scenario doesn't really need it and it can make things overly complex. if you want to only allow clients in the 192.168.1.0/24 subnet to use postfix with an iptables rule then i would say...

iptables -A OUTPUT -p TCP --sport 25 -d ! 192.168.1.0/24 -j DROP

drop all packets leaving the box from port 25 to ip's not in the local subnet. much clearer and no need for things like state tracking here either. possible, but just serves no purpose really.

This rule is to control yourself note, not control unknown untrusted sources, again that is for internet firewalls, which you already have, and in a professional environment i would *not* advocate using iptables here at all outside of duplicating existing rules in better locations.

zazem 05-14-2008 08:38 AM
Quote:
Originally Posted by acid_kewpie (Post 3152856)
well you're not really clear on what the actual scenario is. you mention ports 25, 110 and 143, and postfix will only use the first, there'd be no use of pop3 or imap in your requirements i'd imagine.

I can see why you've tried to be so specific in that rule, but I'd advise against it as the real life scenario doesn't really need it and it can make things overly complex. if you want to only allow clients in the 192.168.1.0/24 subnet to use postfix with an iptables rule then i would say...

iptables -A OUTPUT -p TCP --sport 25 -d ! 192.168.1.0/24 -j DROP

drop all packets leaving the box from port 25 to ip's not in the local subnet. much clearer and no need for things like state tracking here either. possible, but just serves no purpose really.

This rule is to control yourself note, not control unknown untrusted sources, again that is for internet firewalls, which you already have, and in a professional environment i would *not* advocate using iptables here at all outside of duplicating existing rules in better locations.
In my iptables report, i should use another host to test the rule, so i Assume 192.168.1.60-80 as external user. and i test the rule using windows and ubuntu.

so as i understand, i also need to block package to the firewall.

iptables -A OUTPUT -p TCP --sport 25 -d ! iprange --src-range 192.168.1.80-192.168.1.100 -j DROP

iptables -A INPUT-p TCP --sport 25 -d ! iprange --src-range 192.168.1.80-192.168.1.100 -j DROP


am i right, please give me some hint

Cheers

acid_kewpie 05-14-2008 08:56 AM
your report?


All times are GMT -5. The time now is 11:54 AM.