[BlueOnyx:12456] Re: Allow Inbound Email From Only One IP or Host

David Hahn ml at sb9.com
Wed Mar 6 19:05:02 -05 2013 

On 3/6/2013 3:05 PM, Chuck Tetlow wrote:
> > Hi all,
> > I have a blue quartz 5100 still running the old
> > nuonce/solarspeed av/spam package. It no longer
> > updates sa and clam ect... With the garbage being
> > sent it no longer has much of a chance protecting
> > mail as good as the current av/spam package does.
> > BTW, the current package works GREAT!
> >
> > Using 2 servers one the MX points to with the av/spam
> > package on it (server 1 BO5601). It then scans the mail and
> > sends it to the BQ5100 server 2.
> >
> > My question is, how do I stop mail from by-passing
> > the MX records and go around server 1 and directly
> > to server 2?
> >
> > If i use iptables to block port 25 for all but
> > one ip address local mail, users mail admin root ect..
> > quits sending on server 1.
> >
> > # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
> > or
> > # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
> >
> > What other rule would I use to keep the localhost and domains
> > and the internals happy on server 2 and only allow mail from
> > server 1 and no where else or a more permanent better way to
> > do so.
> >
> > TIA
> > David
>
>
> Hi David,
>
> We have a similar situation, with a external mail filtering server 
> running Roaring Penguin CanIt.  And we also had a problem with the 
> script-kiddies sending crap directly to the end-servers, because they 
> didn't use the MX records for the domains - they just send their crap 
> to any machine that responds on TCP port 25.
>
> So I set up some IPTables filtering rules of my own.  I put these 
> rules in the /etc/sysconfig/iptables file so they're loaded 
> automatically.  While I know the file has a warning in it about manual 
> changes being lost - I haven't had that happen to me.  And if it did 
> start - I'd just lock the file with the immutable bit (chattr +i 
> /etc/sysconfig/iptables).
>
> So the rules in each end-server to keep out everyone but my SPAM 
> filtering server, and other local company servers.  These go up near 
> the top of that /etc/sysconfig/iptables file, right under the line "-A 
> OUTPUT - j acctout":
>
> #1 - Keep your server talking to itself:
> -A acctin -d 127.0.0.1/32 -j ACCEPT
> -A acctout -s 127.0.0.1/32 -j ACCEPT
>
> #2 - Allow in connections from any inside networks you have, or any 
> Private Address Space you are using.  Be sure your filtering server 
> falls in here somewhere:
> -A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j ACCEPT
> -A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j ACCEPT
> -A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
> -A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j 
> ACCEPT
> -A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j 
> ACCEPT
>
> #3 - Log the connection attempts (just so I can see who is tryinghard 
> to get in and can be blocked at the main router):
> -A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix 
> E-Mail-Connect
>
> #4 - Now, drop the connection attempt. (P.S. - These comment lines 
> numbered 1-4 don't go in that file.  They're just explanation):
> -A acctin -m state --state NEW -p tcp --dport 25 -j DROP
>
>
> After putting those firewall rules into that file, restart the 
> firewall with "service iptables restart".  You can check to see if 
> they're in the active rules with "iptables -L -n| more".  Look for 
> those rules upat the top of the chain labeled "acctin".
>
> And if you want to seehow much they're blocking - use "iptables -L -n 
> -v | more".  That will also give a packet count of what each line has 
> allowed or blocked.  That way - you can see how many connection 
> attempts the firewall rule has blocked.
>
> I've found that this completely locks out the script kiddies that 
> connect via IP Address to send SPAM.  And after a while - the attempts 
> pretty much go away.  Once they find they can't connect toyour server 
> on TCP Port 25 any more - they quit trying.
>
> Good luck and shoot back a message if I haven't explained something 
> well enough.
>
>
>
> Chuck
>
>
>
Fantastic. Will try that.
Thank you Gerald and Chuck
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130306/efe42528/attachment.html>

More information about the Blueonyx mailing list