After a visit to the forums as well as the blog, http://www.subvs.co.uk/smtp_blocking_with_ipcop, I wrote a shell script to effect the desired blocks.
The Setup:
- Guests are permitted only on the IPCop Blue network.
- We have a local mail server 6xx.1.2.3 attached to our IPCop DMZ (Orange) network
- Our primary domain MX server is reachable over the VPN at 192.168.y.y or over the internet at 5xx.1.2.3.
- Users on our trusted Green network are permitted to send mail to our MX server over the internet or over the VPN.
- Our admin uses one local PC (192.168.x.x) for testing SMTP traffic so that IP is permitted to SMTP outbound anywhere.
- Permit any outbound SMTP from GREEN_IPOK1
- Permit anyone on GREEN to connect to MX server (internet or VPN)
- Permit local mail server to send outbound SMTP anywhere from ORANGE
- Log and block all other outbound SMTP requests over the RED interface
- Guests on the BLUE network can not send email via SMTP. Period.
- GREEN users can not send email except thru the MX server.
Caution: Make sure that you run the rc.firewall.smtp stop before making any rule changes. Eliminates a whole lot of cleanup later :)
The File:
#!/bin/sh
# Used to block outbound SMTP traffic
# Edited: AmAdmin 20090903
eval $(/usr/local/bin/readhash /var/ipcop/ppp/settings)
eval $(/usr/local/bin/readhash /var/ipcop/ethernet/settings)
# Local admin PC for SMTP testing
GREEN_OKIP1=192.168.x.x
# Local mail servers (VPN/MX/RELAY)
MAILSRV1=192.168.y.y
MAILSRV2=5xx.1.2.3
MAILSRV3=6xx.1.2.3
allow_smtp() {
# allow smtp outbound from networks to trusted mail server ips
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV1 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV1 --dport 465 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV2 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -d $MAILSRV2 --dport 465 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $ORANGE_DEV -s $MAILSRV3 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $ORANGE_DEV -s $MAILSRV3 --dport 465 -j ACCEPT
# permit smtp outbound from trusted GREEN ip addresses to anywhere
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -s $GREEN_OKIP1 --dport 25 -j ACCEPT
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -i $GREEN_DEV -s $GREEN_OKIP1 --dport 465 -j ACCEPT
}
log_smtp() {
# log all stmtp outbound from RED
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 25 -j LOG --log-prefix "SMTP_"
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 465 -j LOG --log-prefix "SMTP-SSL_"
}
block_smtp() {
# block all stmtp outbound from RED
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 25 -j DROP
/sbin/iptables -$ACTION CUSTOMFORWARD -p tcp -o $RED_DEV --dport 465 -j DROP
}
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
ACTION=A
allow_smtp
log_smtp
block_smtp
;;
stop)
## add your 'stop' rules here
ACTION=D
allow_smtp
log_smtp
block_smtp
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
status)
/sbin/iptables -nvL CUSTOMFORWARD
;;
*)
echo "Usage: $0 {start|stop|reload|status}"
;;
esac
4 comments:
thanks a lot sir i wanna just know if it ll work with IPCOP 2.0 and how can i test this script
I have not tried this script with v2.0 but the concepts regarding what to block at the firewall ought to still apply. Testing should be as easy as attaching a computer to the restricted interface and attempting to send an email out. I will often do a simple telnet mail.server 25 to see if I can initiate a conversation with a remote server.
thank you very mush really i m happy to visit your blog
We were able to modify this script to block smtp for everything but our two internal Exchange 2010 hub servers. We did this by making them look like the Admin PC or $GREENPC1 and removing all the other ALLOWs.
Post a Comment