LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-17-2007, 08:55 AM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
outgoing e-mail for users


I am using squid and dangaurdian to filter web traffic but I would like to allow a certain subnet to be able recieve and send out e-mail via pop3 smtp. Can somebody show me an example of a iptables rule that will allow a specific IP address or a subnet to have only this privledge to send incomming and outgoing email via pop and smtp?
 
Old 08-17-2007, 12:10 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Here's an example:
Code:
iptables -A FORWARD -i eth1 -o eth0 -p TCP -s 192.168.40.0/24 \
-m multiport --dports 25,110 -m state --state NEW -j ACCEPT
This assumes a policy of DROP, as well as the existance of a rule for packets of state RELATED and ESTABLISHED. It also assumes eth1 is your LAN interface, and eth0 is your WAN.

Last edited by win32sux; 08-17-2007 at 12:28 PM.
 
Old 08-17-2007, 10:44 PM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
So this will allow that one subnet to send and recieve e-mail via pop3(recieve) and smtp (send out). Can I use this same rule for a single address?
 
Old 08-18-2007, 02:09 AM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973 View Post
Can I use this same rule for a single address?
Sure, you can use an IP too:
Code:
iptables -A FORWARD -i eth1 -o eth0 -p TCP -s 192.168.40.113 \
-m multiport --dports 25,110 -m state --state NEW -j ACCEPT
You could also use IP ranges if you like:
Code:
iptables -A FORWARD -i eth1 -o eth0 -p TCP \
-m iprange --src-range 192.168.40.27-192.168.40.98 \
-m multiport --dports 25,110 -m state --state NEW -j ACCEPT
 
Old 08-19-2007, 04:44 PM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I tried both of them and I am still have the same issue. I can download e-mail fine(pop is working) and I can connect to my smtp server for outgoing e-mail(because it ask me for the username and password as well as also being able to ping the smtp server). But when I try and send anything it times out and errors saying that it cannot communicate with the smtp server but I can ping it. So I know that is a rule in my firewall that is causing this issue because when I am on the DMZ I am cool. I would like to post my firewall rules but do not want the world seeing it? Here is my layout:

(eth0)
firewall
(eth1) LAN 192.168.3.0/27
|
|
|
(eth0)
Squid/Dansguardian - 192.168.3.0/27
|
|
|
|
LAN -----------Clients 192.168.3.0/27 |
|
|
|
Clients 192.168.3.0/27

winsux, can I send you a copy of my firewall so you can take a look at it and tell me if you can see an issue?

Last edited by metallica1973; 08-19-2007 at 04:45 PM.
 
Old 08-19-2007, 05:08 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by metallica1973 View Post
I tried both of them and I am still have the same issue. I can download e-mail fine(pop is working) and I can connect to my smtp server for outgoing e-mail(because it ask me for the username and password as well as also being able to ping the smtp server). But when I try and send anything it times out and errors saying that it cannot communicate with the smtp server but I can ping it. So I know that is a rule in my firewall that is causing this issue because when I am on the DMZ I am cool.
It's easy to see what is getting filtered. Just have a LOG rule log any filtered packet. BTW, are you placing the rule in a proper location? If the packets get sent to DROP or REJECT by a prior rule then they'll never see this rule.

Quote:
can I send you a copy of my firewall so you can take a look at it and tell me if you can see an issue?
Posting your rules here isn't a security issue if you make sure to remove/obfuscate any of your public IP addresses in it. Typically this would only be the IP(s) of your WAN interface. Trust me, you are much better-off having the entire LQ community looking at your rules instead of just me. BTW, we'd only need to see your FORWARD, PREROUTING, and POSTROUTING rules.
Code:
iptables -nvL FORWARD --line-numbers
Code:
iptables -t nat -nvL PREROUTING --line-numbers
Code:
iptables -t nat -nvL POSTROUTING --line-numbers
Please use CODE tags when you post the output.

Last edited by win32sux; 08-19-2007 at 05:31 PM.
 
Old 08-19-2007, 05:56 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
If you are still hesitant to publicly post the output of the above commands, then go ahead and email the output to me. I'll have a look at it, but I'll post my feedback on this thread, so that anyone might benefit.
 
Old 08-20-2007, 06:07 PM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
I will do so shortly thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
outgoing mail aliases? soylentgreen Linux - Server 1 07-03-2007 08:29 PM
sendmail and outgoing mail shafey Linux - Networking 1 11-16-2005 04:57 AM
outgoing mail not working BillyB Linux - Newbie 6 04-19-2005 04:51 PM
How to separate Incoming Mail and Outgoing Mail on SENDMAIL LiloAma Linux - Networking 1 03-22-2004 02:24 AM
preventing users to make outgoing connections Shroom Linux - Security 5 06-15-2003 05:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration