<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 3/6/2013 3:05 PM, Chuck Tetlow
wrote:<br>
</div>
<blockquote cite="mid:20130306224100.M82612@tetlow.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<meta content="OPENWEBMAIL" name="GENERATOR">
<font size="2">> Hi all, <br>
> I have a blue quartz 5100 still running the old <br>
> nuonce/solarspeed av/spam package. It no longer <br>
> updates sa and clam ect... With the garbage being <br>
> sent it no longer has much of a chance protecting <br>
> mail as good as the current av/spam package does. <br>
> BTW, the current package works GREAT! <br>
> <br>
> Using 2 servers one the MX points to with the av/spam <br>
> package on it (server 1 BO5601). It then scans the mail and
<br>
> sends it to the BQ5100 server 2. <br>
> <br>
> My question is, how do I stop mail from by-passing <br>
> the MX records and go around server 1 and directly <br>
> to server 2? <br>
> <br>
> If i use iptables to block port 25 for all but <br>
> one ip address local mail, users mail admin root ect.. <br>
> quits sending on server 1. <br>
> <br>
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> or <br>
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j
REJECT <br>
> <br>
> What other rule would I use to keep the localhost and
domains <br>
> and the internals happy on server 2 and only allow mail
from <br>
> server 1 and no where else or a more permanent better way
to <br>
> do so. <br>
> <br>
> TIA <br>
> David <br>
<br>
<br>
<font size="2">Hi David,
<br>
<br>
<font size="2">We have a similar situation, with a external
mail filtering <font size="2">server running Roaring
Penguin CanIt. And we also had a problem with the script-<font
size="2">kiddies sending <font size="2">crap</font> <font
size="2">directly to the end<font size="2">-</font>servers,
because they di<font size="2">dn't use the MX records
for the domain<font size="2">s - they just send
their crap to any machine that respon<font
size="2">ds on TCP por<font size="2">t 25.
<br>
<br>
<font size="2">So I set up some IPTables
filtering rules of my own. I put these r<font
size="2">ules in the
/etc/sysconfig/iptables file so they're
loaded automatically. While I know the
file has a warning in it about manual
changes being lost - I h<font size="2">aven't
had that happen to me. And if it did
start - I<font size="2">'d just lock the
file with the immutable bit (chattr <font
size="2">+i /etc/s<font size="2">ysconfig/iptables).
<br>
<br>
<font size="2">S<font size="2">o
the rules in each <font
size="2">end-<font size="2">server
</font></font>to keep out
ever<font size="2">yone b<font
size="2">ut my SPAM
filtering server<font
size="2">, and other
local company servers<font
size="2">. These go
up near <font
size="2">the top of
that
/etc/sysconfig/iptables
file, right under
the li<font size="2">ne
"-A OUTPUT - j
acctout"<font
size="2">:</font></font></font></font></font></font></font></font></font>
<br>
</font></font></font></font></font>
<br>
<font size="2">#1 - Keep your server tal<font
size="2">king to itself<font size="2">:</font>
<br>
<font size="2">-A acctin -d 127.0.0.1/32
-j ACCEPT
<br>
-A acctout -s 127.0.0.1/32 -j ACCEPT
<br>
<br>
#2 - Allo<font size="2">w in
connections from any inside networks
you have, or any Private Address
Space you are <font size="2">using<font
size="2">. Be sure your
filtering server falls in <font
size="2">here somewhere:</font></font></font></font>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
1.2.3.4/24
--dport 25 -j
ACCEPT
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2"><font
size="2">-A
acctin -m
state --state
NEW -p tcp -s
4.3.2.1/24
--dport 25 -j
ACCEPT
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>-A
acctin -m state --state NEW -p tcp -s
10.0.0.0/8 --dport 25 -j ACCEPT
<br>
-A acctin -m state --state NEW -p tcp
-s 172.16.0.0/14 --dport 25 -j ACCEPT
<br>
-A acctin -m state --state NEW -p tcp
-s 192.168.0.0/16 --dport 25 -j ACCEPT
<br>
<br>
#3 <font size="2">- Log the co<font
size="2">nnection <font size="2">attempts
<font size="2">(just so I can
see who is trying<font
size="2"> ha<font size="2">rd
to get in and can be
blocked at the main ro<font
size="2">uter):</font></font></font></font></font></font></font>
<br>
-A acctin -m state --state NEW -p tcp
--dport 25 -j LOG --log-prefix
E-Mail-Connect
<br>
<br>
<font size="2">#4 - <font size="2">Now,
d</font>rop the connection attempt</font>.
(P<font size="2">.S. - These comment
lines number<font size="2">ed 1-4 <font
size="2">d<font size="2">on't go
in that file. They're just
explanatio<font size="2">n):</font></font></font></font></font>
<br>
-A acctin -m state --state NEW -p tcp
--dport 25 -j DROP
<br>
</font>
<br>
<br>
After putting those firewall rules into
that file, restart the firewall with
"service iptables restart". You can c<font
size="2">h<font size="2">eck to see if
they're in the active rules with
"iptables -L -n<font size="2"> |
more". Look for those r<font
size="2">ules up<font size="2">
at the top of the chain
labeled "acctin".
<br>
<br>
<font size="2">And if you want
to see<font size="2"> <font
size="2">how much
they're blocking - use
"iptables -L -n -v |
more". That will also
give a <font size="2">packet
count of what each
line has allowed or
blocked. That way -
you can see <font
size="2">how many <font
size="2">connection
attempts the
firewall rule has
blocked.
<br>
<br>
<font size="2">I've
found that this
completely locks
out the script
kiddies that
connect via IP
Address to send
SPAM. And after
a while - the
attempt<font
size="2">s
pretty much go
away. Once
they find they
can't connect
to<font
size="2"> your
server on TCP
Port 25 any
more - they
quit trying.
<br>
<br>
<font size="2">Good
luck and shoot
back a messag<font
size="2">e if
I haven't exp<font
size="2">lained
something well
enough.
<br>
<br>
<br>
<br>
<font size="2">Chuck
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font></font>
<br>
<br>
</font></font></font></font></font></font></font></font></font></font></font></font>
</font>
</blockquote>
Fantastic. Will try that.<br>
Thank you Gerald and Chuck <br>
David<br>
</body>
</html>