[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help needed on block SMTP

On Wednesday, 18.05.2005 at 14:14 +0200, Samuel Díaz García wrote:

> 1) I wrote in the first line: "... somethiing as this ...".
> 2) Me, as you, have the same info about the system in question.
> 3) I wrote something that can help to solve the problem.

... but that also raises inconsistencies. i.e. you can't use *both* and
INPUT and a FORWARD rule - depending on the location of the mail server,
one needs to use *one* of those rules.

> 4) If you have the knowledge and the time, put all the posible cases and put
> an answer that can cover all posible cases.

Well, it's hard to answer properly when there is insufficient
information: I'm not sure your suggestion would work at all, regardless
of the original poster's setup.

> Continued in your response:
> Dave Ewart writes:
> >On Wednesday, 18.05.2005 at 11:37 +0200, Samuel Díaz García wrote:
> >
> >>You need something as this in your linux router/firewall box:
> >>
> >>#!/bin/sh
> >>ip_mail_srv=a.b.c.d
> >>
> >>iptables -t filter -A INPUT -d $ip_mail_srv -p tcp --dport 25 --syn -j
> >>iptables -t filter -A INPUT -p tcp --dport 25 --syn -j DROP
> >
> >That doesn't look right.  If the mail server is NOT the same system as
> >the firewall, then nothing will pass on the INPUT chain to the firewall
> >destined for the mail server.
> Do you know where is the smtp server? I don't, I only put 2 options.

OK, fair enough, although it's not clear that these were actually
options ...

> >>#the same in FORWARD chain:
> >>
> >>iptables -t filter -A FORWARD -d $ip_mail_srv -p tcp --dport 25 --syn -j
> >>iptables -t filter -A FORWARD -p tcp --dport 25 --syn -j DROP
> >
> >The first of the above two rules will work partly, but won't allow any SMTP
> >traffic *from* the mail server back out ...
> >
> Well, 2 solutions (or more):
>  1) delete "--syn"
>  2) use the tipical "RELATED, ESTABLISHED" rule about.
>  3) Propose you some solution more.

I'll happily supply a solution if the original poster provides more

Please don't CC me on list messages!
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to: