<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
<font size="2">> Hi all,
<br />>
I have a blue quartz 5100 still running the old
<br />>
nuonce/solarspeed av/spam package. It no longer
<br />>
updates sa and clam ect... With the garbage being
<br />>
sent it no longer has much of a chance protecting
<br />>
mail as good as the current av/spam package does.
<br />>
BTW, the current package works GREAT!
<br />>
<br />>
Using 2 servers one the MX points to with the av/spam
<br />>
package on it (server 1 BO5601). It then scans the mail and
<br />>
sends it to the BQ5100 server 2.
<br />>
<br />>
My question is, how do I stop mail from by-passing
<br />>
the MX records and go around server 1 and directly
<br />>
to server 2?
<br />>
<br />>
If i use iptables to block port 25 for all but
<br />>
one ip address local mail, users mail admin root ect..
<br />>
quits sending on server 1.
<br />>
<br />>
# iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
<br />>
or
<br />>
# iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
<br />>
<br />>
What other rule would I use to keep the localhost and domains
<br />>
and the internals happy on server 2 and only allow mail from
<br />>
server 1 and no where else or a more permanent better way to
<br />>
do so.
<br />>
<br />>
TIA
<br />>
David
<br />
<br />
<br /><font size="2">Hi David,
<br />
<br /><font size="2">We have a similar situation, with a external mail filtering <font size="2">server running Roaring Penguin CanIt. And we also had a problem with the script-<font size="2">kiddies sending <font size="2">crap</font> <font size="2">directly to the end<font size="2">-</font>servers, because they di<font size="2">dn't use the MX records for the domain<font size="2">s - they just send their crap to any machine that respon<font size="2">ds on TCP por<font size="2">t 25.
<br />
<br /><font size="2">So I set up some IPTables filtering rules of my own. I put these r<font size="2">ules in the /etc/sysconfig/iptables file so they're loaded automatically. While I know the file has a warning in it about manual changes being lost - I h<font size="2">aven't had that happen to me. And if it did start - I<font size="2">'d just lock the file with the immutable bit (chattr <font size="2">+i /etc/s<font size="2">ysconfig/iptables).
<br />
<br /><font size="2">S<font size="2">o the rules in each <font size="2">end-<font size="2">server </font></font>to keep out ever<font size="2">yone b<font size="2">ut my SPAM filtering server<font size="2">, and other local company servers<font size="2">. These go up near <font size="2">the top of that /etc/sysconfig/iptables file, right under the li<font size="2">ne "-A OUTPUT - j acctout"<font size="2">:</font></font></font></font></font></font></font></font></font>
<br /></font></font></font></font></font>
<br /><font size="2">#1 - Keep your server tal<font size="2">king to itself<font size="2">:</font>
<br /><font size="2">-A acctin -d 127.0.0.1/32 -j ACCEPT
<br />-A acctout -s 127.0.0.1/32 -j ACCEPT
<br />
<br />#2 - Allo<font size="2">w in connections from any inside networks you have, or any Private Address Space you are <font size="2">using<font size="2">. Be sure your filtering server falls in <font size="2">here somewhere:</font></font></font></font>
<br /></font></font></font></font></font></font></font></font></font></font></font></font></font></font><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2">-A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j ACCEPT
<br /></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2"><font size="2">-A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j ACCEPT
<br /></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
<br />-A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j ACCEPT
<br />-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT
<br />
<br />#3 <font size="2">- Log the co<font size="2">nnection <font size="2">attempts <font size="2">(just so I can see who is trying<font size="2"> ha<font size="2">rd to get in and can be blocked at the main ro<font size="2">uter):</font></font></font></font></font></font></font>
<br />-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix E-Mail-Connect
<br />
<br /><font size="2">#4 - <font size="2">Now, d</font>rop the connection attempt</font>. (P<font size="2">.S. - These comment lines number<font size="2">ed 1-4 <font size="2">d<font size="2">on't go in that file. They're just explanatio<font size="2">n):</font></font></font></font></font>
<br />-A acctin -m state --state NEW -p tcp --dport 25 -j DROP
<br /></font>
<br />
<br />After putting those firewall rules into that file, restart the firewall with "service iptables restart". You can c<font size="2">h<font size="2">eck to see if they're in the active rules with "iptables -L -n<font size="2"> | more". Look for those r<font size="2">ules up<font size="2"> at the top of the chain labeled "acctin".
<br />
<br /><font size="2">And if you want to see<font size="2"> <font size="2">how much they're blocking - use "iptables -L -n -v | more". That will also give a <font size="2">packet count of what each line has allowed or blocked. That way - you can see <font size="2">how many <font size="2">connection attempts the firewall rule has blocked.
<br />
<br /><font size="2">I've found that this completely locks out the script kiddies that connect via IP Address to send SPAM. And after a while - the attempt<font size="2">s pretty much go away. Once they find they can't connect to<font size="2"> your server on TCP Port 25 any more - they quit trying.
<br />
<br /><font size="2">Good luck and shoot back a messag<font size="2">e if I haven't exp<font size="2">lained something well enough.
<br />
<br />
<br />
<br /><font size="2">Chuck
<br />
<br /></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
<br />
<br /></font></font></font></font></font></font></font></font></font></font></font></font>
</font>
</BODY>
</HTML>