Re: Help needed on block SMTP

To: debian-firewall@lists.debian.org
Subject: Re: Help needed on block SMTP
From: Dave Ewart <davee@sungate.co.uk>
Date: Wed, 18 May 2005 13:28:32 +0100
Message-id: <[🔎] 20050518122832.GC4067@sungate.co.uk>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20050518121404.24062.qmail@arcoscom.com>
References: <[🔎] ef0e5d905051720071bdd0995@mail.gmail.com> <[🔎] 20050518070748.GA4067@sungate.co.uk> <[🔎] 428B0CC6.4090009@arcoscom.com> <[🔎] 20050518105744.GB4067@sungate.co.uk> <[🔎] 20050518121404.24062.qmail@arcoscom.com>

On Wednesday, 18.05.2005 at 14:14 +0200, Samuel Díaz García wrote:

> 1) I wrote in the first line: "... somethiing as this ...".
> 2) Me, as you, have the same info about the system in question.
> 3) I wrote something that can help to solve the problem.

... but that also raises inconsistencies. i.e. you can't use *both* and
INPUT and a FORWARD rule - depending on the location of the mail server,
one needs to use *one* of those rules.

> 4) If you have the knowledge and the time, put all the posible cases and put
> an answer that can cover all posible cases.

Well, it's hard to answer properly when there is insufficient
information: I'm not sure your suggestion would work at all, regardless
of the original poster's setup.

> Continued in your response:
> 
> Dave Ewart writes:
> 
> >On Wednesday, 18.05.2005 at 11:37 +0200, Samuel Díaz García wrote:
> >
> >>You need something as this in your linux router/firewall box:
> >>
> >>#!/bin/sh
> >>ip_mail_srv=a.b.c.d
> >>
> >>iptables -t filter -A INPUT -d $ip_mail_srv -p tcp --dport 25 --syn -j
> >>ACCEPT
> >>iptables -t filter -A INPUT -p tcp --dport 25 --syn -j DROP
> >
> >That doesn't look right.  If the mail server is NOT the same system as
> >the firewall, then nothing will pass on the INPUT chain to the firewall
> >destined for the mail server.
> 
> Do you know where is the smtp server? I don't, I only put 2 options.

OK, fair enough, although it's not clear that these were actually
options ...

> >>#the same in FORWARD chain:
> >>
> >>iptables -t filter -A FORWARD -d $ip_mail_srv -p tcp --dport 25 --syn -j
> >>ACCEPT
> >>iptables -t filter -A FORWARD -p tcp --dport 25 --syn -j DROP
> >
> >The first of the above two rules will work partly, but won't allow any SMTP
> >traffic *from* the mail server back out ...
> >
> 
> Well, 2 solutions (or more):
>  1) delete "--syn"
>  2) use the tipical "RELATED, ESTABLISHED" rule about.
>  3) Propose you some solution more.

I'll happily supply a solution if the original poster provides more
information.

Dave.
-- 
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Help needed on block SMTP
  - From: Samuel Díaz García <samueldg@arcoscom.com>

References:
- Help needed on block SMTP
  - From: shyam hirurkar <shyamph@gmail.com>
- Re: Help needed on block SMTP
  - From: Dave Ewart <davee@sungate.co.uk>
- Re: Help needed on block SMTP
  - From: Samuel Díaz García <samueldg@arcoscom.com>
- Re: Help needed on block SMTP
  - From: Dave Ewart <davee@sungate.co.uk>
- Re: Help needed on block SMTP
  - From: Samuel Díaz García <samueldg@arcoscom.com>

Prev by Date: Get latest version, cds and download under $99
Next by Date: problem with iptables nat
Previous by thread: Re: Help needed on block SMTP
Next by thread: Re: Help needed on block SMTP
Index(es):
- Date
- Thread