After an event where a visitor managed to generate enough spam that our mail server was blacklisted, I decided to configure our firewall,
IPCop, to prevent a future occurrence.
After a visit to the forums as well as the blog,
http://www.subvs.co.uk/smtp_blocking_with_ipcop, I wrote a shell script to effect the desired blocks.
The Setup:
- Guests are permitted only on the IPCop Blue network.
- We have a local mail server 6xx.1.2.3 attached to our IPCop DMZ (Orange) network
- Our primary domain MX server is reachable over the VPN at 192.168.y.y or over the internet at 5xx.1.2.3.
- Users on our trusted Green network are permitted to send mail to our MX server over the internet or over the VPN.
- Our admin uses one local PC (192.168.x.x) for testing SMTP traffic so that IP is permitted to SMTP outbound anywhere.
The Approach:
- Permit any outbound SMTP from GREEN_IPOK1
- Permit anyone on GREEN to connect to MX server (internet or VPN)
- Permit local mail server to send outbound SMTP anywhere from ORANGE
- Log and block all other outbound SMTP requests over the RED interface
The Limits:
- Guests on the BLUE network can not send email via SMTP. Period.
- GREEN users can not send email except thru the MX server.
I chose to create a rc.firewall.smtp shell script file and then call it from within the rc.firewall.local script. Made it easier to test without messing with the main firewall protections.
Caution: Make sure that you run the
rc.firewall.smtp stop before making any rule changes. Eliminates a whole lot of cleanup later :)
The File:
#!/bin/sh
# Used to block outbound SMTP traffic
# Edited: AmAdmin 20090903
eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings)
# Local admin PC for SMTP testing
GREEN_OKIP1=192.168.x.x
# Local mail servers (VPN/MX/RELAY)
MAILSRV1=192.168.y.y
MAILSRV2=5xx.1.2.3
MAILSRV3=6xx.1.2.3
allow_smtp() {
# allow smtp outbound from networks to trusted mail server ips
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV1 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV1 --dport 465 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV2 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV2 --dport 465 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $ORANGE_DEV -s $MAILSRV3 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $ORANGE_DEV -s $MAILSRV3 --dport 465 -j ACCEPT
# permit smtp outbound from trusted GREEN ip addresses to anywhere
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -s $GREEN_OKIP1 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -s $GREEN_OKIP1 --dport 465 -j ACCEPT
}
log_smtp() {
# log all stmtp outbound from RED
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 25 -j LOG --log-prefix "SMTP_"
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 465 -j LOG --log-prefix "SMTP-SSL_"
}
block_smtp() {
# block all stmtp outbound from RED
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 25 -j DROP
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 465 -j DROP
}
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
ACTION=A
allow_smtp
log_smtp
block_smtp
;;
stop)
## add your 'stop' rules here
ACTION=D
allow_smtp
log_smtp
block_smtp
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
status)
/sbin/iptables -nvL CUSTOMFORWARD
;;
*)
echo "Usage: $0 {start|stop|reload|status}"
;;
esac