Home

Block SMTP traffic not from mail server on ipcop

IPCop is a dedicated firewall distro, and is a great, easy way to get a firewall up quickly - its also pretty idiot-proof with a nice easy GUI. One thing I could not find a plugin for was blocking smtp traffic apart from a single mail server. This is a great idea to use if you use NAT, and there are a lot of computers behind your IPCop - because it defaults to allowing all outgoing traffic, one of the workstations may become infected with something and start spamming. This is bad both because you are now a spammer, and also because your ip is about to get blacklisted on something like spamhaus or cbl. Once you are blacklisted, your genuine emails start to get bounced, suits start foaming at the mouth and there is much weeping and gnashing of teeth.

Enter iptables. You will need to enable ssh on your IPCop by clicking SYSTEM > SSH ACCESS and ticking SSH Access, then SAVE. You can now ssh to your IPCop (If you are using windows, get PuTTY and set the port to 222 and the user to root): 

ssh -p222 root@1.2.3.4  # Where 1.2.3.4 is the ip of your IPCop

Supply the root password you gave during setup to log in. Next we will edit the /etc/rc.d/rc.firewall.local file and add our new SMTP blocking rules. Open the file with vi or nano, then look for the line "## add your 'start' rules here" and put your new rules under it. 

vi /etc/rc.d/rc.firewall.local
         ## add your 'start' rules here
# allow smtp from some allowed ips
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s x.x.x.x --dport 465 -j ACCEPT
# log stuff that is not the mail server
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j LOG --log-prefix "SMTP"
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j LOG --log-prefix "SMTP-SSL"
# block all other outgoing SMTP traffic
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 25 -j REJECT
/sbin/iptables -A CUSTOMFORWARD -p tcp -i eth0 -s ! y.y.y.y --dport 465 -j REJECT

Replace x.x.x.x with an extra ip that you want to allow smtp access for (and repeat for any others). This may be for something that your main mail server does not relay for. Replace y.y.y.y with the ip of your mail server.

Once you have saved, reboot the IPCop. Check the logs every now and then (If you have used the same --log-prefix as above, you can do this with "grep SMTP /var/log/messages") - a lot of log entries for a machine can mean that a pc has been compromised (but usually means a user has set up their personal email account on it - you can then solicit bribes from them to add them to the allowed ips)

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket