[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help needed on block SMTP

Well, the rules were not perfect Dave, but could help to solve the problem.

The both rules isn't needed ... I disagree a bit, when you have 3 networks (WAN, DMZ, LAN), you need the input to redirect from WAN into the server and the forward to allow from LAN to DMZ. The case in NATED WAN (I'm more explicit because you need it).

And me, as you, need more info to send a particular solution to the problem.

Best regards,

Dave Ewart escribió:

On Wednesday, 18.05.2005 at 14:14 +0200, Samuel Díaz García wrote:

1) I wrote in the first line: "... somethiing as this ...".
2) Me, as you, have the same info about the system in question.
3) I wrote something that can help to solve the problem.

... but that also raises inconsistencies. i.e. you can't use *both* and
INPUT and a FORWARD rule - depending on the location of the mail server,
one needs to use *one* of those rules.

4) If you have the knowledge and the time, put all the posible cases and put
an answer that can cover all posible cases.

Well, it's hard to answer properly when there is insufficient
information: I'm not sure your suggestion would work at all, regardless
of the original poster's setup.

Continued in your response:

Dave Ewart writes:

On Wednesday, 18.05.2005 at 11:37 +0200, Samuel Díaz García wrote:

You need something as this in your linux router/firewall box:


iptables -t filter -A INPUT -d $ip_mail_srv -p tcp --dport 25 --syn -j
iptables -t filter -A INPUT -p tcp --dport 25 --syn -j DROP

That doesn't look right.  If the mail server is NOT the same system as
the firewall, then nothing will pass on the INPUT chain to the firewall
destined for the mail server.

Do you know where is the smtp server? I don't, I only put 2 options.

OK, fair enough, although it's not clear that these were actually
options ...

#the same in FORWARD chain:

iptables -t filter -A FORWARD -d $ip_mail_srv -p tcp --dport 25 --syn -j
iptables -t filter -A FORWARD -p tcp --dport 25 --syn -j DROP

The first of the above two rules will work partly, but won't allow any SMTP
traffic *from* the mail server back out ...

Well, 2 solutions (or more):
1) delete "--syn"
2) use the tipical "RELATED, ESTABLISHED" rule about.
3) Propose you some solution more.

I'll happily supply a solution if the original poster provides more


   Samuel Díaz García
    Director Gerente
ArcosCom Wireless, S.L.L.

CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz


msn: samueldg@arcoscom.com

Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax:   956 70 34 83
fn;quoted-printable:Samuel D=C3=ADaz Garc=C3=ADa
n;quoted-printable:D=C3=ADaz Garc=C3=ADa;Samuel
org:ArcosCom Wireless, S.L.L.;I+D+I
adr;quoted-printable;quoted-printable:;;c/ Romero Gago, 19;Arcos de la Frontera;C=C3=A1diz;11630;Espa=C3=B1a
title:Director Gerente
tel;work:956 70 13 15
tel;fax:956 70 34 83
tel;cell:651 937 248

Reply to: