LinuxQuestions.org - outgoing e-mail for users

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - outgoing e-mail for users (https://www.linuxquestions.org/questions/linux-security-4/outgoing-e-mail-for-users-577788/)

outgoing e-mail for users

I am using squid and dangaurdian to filter web traffic but I would like to allow a certain subnet to be able recieve and send out e-mail via pop3 smtp. Can somebody show me an example of a iptables rule that will allow a specific IP address or a subnet to have only this privledge to send incomming and outgoing email via pop and smtp?

Here's an example:

Code:

iptables -A FORWARD -i eth1 -o eth0 -p TCP -s 192.168.40.0/24 \

-m multiport --dports 25,110 -m state --state NEW -j ACCEPT

This assumes a policy of DROP, as well as the existance of a rule for packets of state RELATED and ESTABLISHED. It also assumes eth1 is your LAN interface, and eth0 is your WAN.

So this will allow that one subnet to send and recieve e-mail via pop3(recieve) and smtp (send out). Can I use this same rule for a single address?

Quote:

Originally Posted by metallica1973 (Post 2862707)

Can I use this same rule for a single address?

Sure, you can use an IP too:

Code:

iptables -A FORWARD -i eth1 -o eth0 -p TCP -s 192.168.40.113 \

-m multiport --dports 25,110 -m state --state NEW -j ACCEPT

You could also use IP ranges if you like:

Code:

iptables -A FORWARD -i eth1 -o eth0 -p TCP \

-m iprange --src-range 192.168.40.27-192.168.40.98 \

-m multiport --dports 25,110 -m state --state NEW -j ACCEPT

I tried both of them and I am still have the same issue. I can download e-mail fine(pop is working) and I can connect to my smtp server for outgoing e-mail(because it ask me for the username and password as well as also being able to ping the smtp server). But when I try and send anything it times out and errors saying that it cannot communicate with the smtp server but I can ping it. So I know that is a rule in my firewall that is causing this issue because when I am on the DMZ I am cool. I would like to post my firewall rules but do not want the world seeing it? Here is my layout:

(eth0)
firewall
(eth1) LAN 192.168.3.0/27
|
|
|
(eth0)
Squid/Dansguardian - 192.168.3.0/27
|
|
|
|
LAN -----------Clients 192.168.3.0/27 |
|
|
|
Clients 192.168.3.0/27

winsux, can I send you a copy of my firewall so you can take a look at it and tell me if you can see an issue?

Quote:

Originally Posted by metallica1973 (Post 2864037)

It's easy to see what is getting filtered. Just have a LOG rule log any filtered packet. BTW, are you placing the rule in a proper location? If the packets get sent to DROP or REJECT by a prior rule then they'll never see this rule.

Quote:

can I send you a copy of my firewall so you can take a look at it and tell me if you can see an issue?

Posting your rules here isn't a security issue if you make sure to remove/obfuscate any of your public IP addresses in it. Typically this would only be the IP(s) of your WAN interface. Trust me, you are much better-off having the entire LQ community looking at your rules instead of just me. BTW, we'd only need to see your FORWARD, PREROUTING, and POSTROUTING rules.

Code:

iptables -nvL FORWARD --line-numbers

Code:

iptables -t nat -nvL PREROUTING --line-numbers

Code:

iptables -t nat -nvL POSTROUTING --line-numbers

Please use CODE tags when you post the output.

If you are still hesitant to publicly post the output of the above commands, then go ahead and email the output to me. I'll have a look at it, but I'll post my feedback on this thread, so that anyone might benefit.

I will do so shortly thanks