Blacklisted, need to block port 25

[Albion]

I've reciently been blacklisted by spamcop.net. I believe one of my workstations has a virus or malware that is sending out spam. I am running a NAT on a Linux Fedora 3 machine and would like to block, with iptables, all traffic coming from any workstation (not including my exchange server) behind my NAT bound for port 25. Is this possible? Once no more SPAM is being spewed I can start to narrow down where the problem is.

Thanks

-Al

 

[IRudebwoy]

Yes. I have similar set up working right now.

I use a script to build/change my ruleset and use iptables built-in save feature to restore the state after a reboot.

The chain is called [blue]FWD-MAIL-ACL-OUT[/blue] but you can change it to the [blue]FORWARD[/blue] chain with a few edits.

# Limit SMTP Connections from known hosts to the internet
echo -e "  Define chain for hosts allowed to send SMTP"
iptables -N FWD-MAIL-ACL-OUT
iptables -A FWD-MAIL-ACL-OUT -j LOG --log-prefix 'FWD-MAIL-ACL-OUT ' --log-level info
if [ -f /etc/firewall/mail ]; then
  echo -en "    Forward Mail from hosts (/etc/firewall/mail) "
  while read HOST LABEL; do
    iptables -A FWD-MAIL-ACL-OUT -s $HOST -j ACCEPT
    echo -en " - $HOST"
    echo -en "."
  done < /etc/firewall/mail
  echo -e ""
else
  echo -e " None"
fi

Further down in my script...

# Allow outbound SMTP from known internal hosts
echo -e "    Process Mail Clients and SMTP servers"
iptables -A FWD-DEF-ACL-OUT -p tcp --dport 25 -j FWD-MAIL-ACL-OUT
iptables -A FWD-DEF-ACL-OUT -p tcp --dport 110 -j FWD-MAIL-ACL-OUT
iptables -A FWD-DEF-ACL-OUT -p tcp --dport 3535 -j FWD-MAIL-ACL-OUT

Break away from the built-in chains...

## Keep these guys near the end

iptables -A FORWARD -i $EXTIF -o $INTIF -j FWD-DEF-ACL-IN
iptables -A FORWARD -i $INTIF -o $EXTIF -j FWD-DEF-ACL-OUT
iptables -A FORWARD -j LOG --log-prefix 'UDEF-IF-FWD: ' --log-level info

I assume you are familiar with iptables. Otherwise, my examples may not make much sense.

I have a list of hosts allowed to send via SMTP in the file [green]/etc/firewall/mail[/green] with each line containing and IP address and a little note. Like so...

192.168.1.10 Mail server 1
192.168.1.11 Mail server 2
192.168.1.12 Mail server 3

If you need further explanation let me know.

Have Fun!

 

[QatQat]

well two lines in iptables would do it

iptables -i your_internal_interface -p tcp --dport 25 -s your_exchange_server_ip -j ACCEPT

iptables -i your_internal_interface -p tcp --dport 25 -s 0/0 -j DROP

The first one allows your server, the second one blocks all other hosts.
Note: if your formward policy is not set to DROP you may need to add something to the forward chain as well.


Cheers

QatQat

Life is what happens when you are making other plans.

 

[Albion]

I get an error when I try your instructions QatQat.

[root@mail1 sysconfig]# iptables -i eth0 -p tcp --dport 25 -s 192.0.2.4 -j ACCEPT
iptables v1.2.11: no command specified

What am I doing wrong?

Thanks

-Al

 

[BIS]

You need to specify which chain (FORWARD probably) to insert the rule.

iptable -i (CHAIN) (COMMANDS)

 

[QatQat]

Sorry,
That was a stupid mistake,

Iptables -A INPUT .....

Please note that -A INPUT, -A FORWARD are case sensitive.

Cheers

QatQat

Life is what happens when you are making other plans.