Re: smtp ipchains rule... please help

To: debian-firewall@lists.debian.org
Subject: Re: smtp ipchains rule... please help
From: Michael Wood <wood@kingsley.co.za>
Date: Tue, 29 May 2001 09:33:11 +0200
Message-id: <[🔎] 20010529093311.F30580@lion.kingsley.co.za>
Mail-followup-to: Michael Wood <wood@kingsley.co.za>, debian-firewall@lists.debian.org
In-reply-to: <[🔎] 3B1309DE.39EF76B4@hanaden.com>; from hanasaki@hanaden.com on Mon, May 28, 2001 at 09:30:54PM -0500
References: <[🔎] 3B1309DE.39EF76B4@hanaden.com>

On Mon, May 28, 2001 at 09:30:54PM -0500, hanasaki wrote:
> Recently, I had to change my firewall rules for smtp to the following:
>     ipchains -A input -i eth0 -s 0/0 smtp -d 0/0 -p tcp -j ACCEPT -b

This allows connections from port 25 on remote machines to any
port on your machine.  So if you had port 110 firewalled later
on (or it was blocked by the policy), for example, someone could
still connect to your POP server, as long as they used port 25
on their end.

> Becuase the following started showing up in my syslog from
> ipchains.  Can someone explain what could have happend?  My IP
> is the 65.28.......  It looks like external systems are now
> trying to connect 25-> random port.

That could be someone trying to bypass your firewall by
initiating connections from the SMTP port.  It might also be
some sort of port probe.

> What should the rule be to allow me to send email out and to
> allow other MTA to send email to me?

Something like this should do it.  This is off the top of my
head, so you might want to doublecheck it.

MYIP=w.x.y.z
INTERFACE=eth0

# outgoing SMTP connections from $MYIP to anywhere
ipchains -A output -p tcp -i $INTERFACE -s $MYIP 1024:65535 \
	--dport 25 -j ACCEPT
ipchains -A input -p tcp -i $INTERFACE --sport 25 \
	-d $MYIP 1024:65535 ! -y -j ACCEPT

# The "! -y" is important in the above input rule.  This allows
# only packets from port 25 to a high port on your machine that
# are part of an established connection.  Not new connections.

# incoming SMTP connections to $MYIP from anywhere
ipchains -A input -p tcp -i $INTERFACE -d $MYIP 25 -j ACCEPT
ipchains -A output -p tcp -i $INTERFACE -s $MYIP 25 -j ACCEPT

> May 28 21:11:53 portal kernel: Packet log: input DENY eth0 PROTO=6
> 216.115.107.17:25 65.28.85.53:1235 L=40 S=0x00 I=38545 F=0x4000 T=46
> (#32)

> May 28 21:23:01 portal kernel: Packet log: input DENY eth0 PROTO=6
> 209.160.218.2:52936 65.28.85.53:25 L=40 S=0x00 I=33275 F=0x4000 T=237
> (#30)

What did your rule look like before?

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

References:
- smtp ipchains rule... please help
  - From: hanasaki <hanasaki@hanaden.com>

Prev by Date: Re: Need_help_with_this_script
Next by Date: Re: Building Debian firewall
Previous by thread: smtp ipchains rule... please help
Next by thread: allowing real audio and video through firewall
Index(es):
- Date
- Thread