[BlueOnyx:12455] Re: Allow Inbound Email From Only One IP or Host

Chuck Tetlow chuck at tetlow.net
Wed Mar 6 18:05:42 -05 2013 

> Hi all, 
> I have a blue quartz 5100 still running the old 
> nuonce/solarspeed av/spam package. It no longer 
> updates sa and clam ect... With the garbage being 
> sent it no longer has much of a chance protecting 
> mail as good as the current av/spam package does. 
> BTW, the current package works GREAT! 
> 
> Using 2 servers one the MX points to with the av/spam 
> package on it (server 1 BO5601). It then scans the mail and 
> sends it to the BQ5100 server 2. 
> 
> My question is, how do I stop mail from by-passing 
> the MX records and go around server 1 and directly 
> to server 2? 
> 
> If i use iptables to block port 25 for all but 
> one ip address local mail, users mail admin root ect.. 
> quits sending on server 1. 
> 
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT 
> or 
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT 
> 
> What other rule would I use to keep the localhost and domains 
> and the internals happy on server 2 and only allow mail from 
> server 1 and no where else or a more permanent better way to 
> do so. 
> 
> TIA 
> David

Hi David,

We have a similar situation, with a external mail filtering server running Roaring Penguin CanIt.  And we also had a problem with the script-kiddies sending crap directly to the end-servers, because they didn't use the MX records for the domains - they just send their crap to any machine that responds on TCP port 25.

So I set up some IPTables filtering rules of my own.  I put these rules in the /etc/sysconfig/iptables file so they're loaded automatically.  While I know the file has a warning in it about manual changes being lost - I haven't had that happen to me.  And if it did start - I'd just lock the file with the immutable bit (chattr +i /etc/sysconfig/iptables).

So the rules in each end-server to keep out everyone but my SPAM filtering server, and other local company servers.  These go up near the top of that /etc/sysconfig/iptables file, right under the line "-A OUTPUT - j acctout":

#1 - Keep your server talking to itself:
-A acctin -d 127.0.0.1/32 -j ACCEPT
-A acctout -s 127.0.0.1/32 -j ACCEPT

#2 - Allow in connections from any inside networks you have, or any Private Address Space you are using.  Be sure your filtering server falls in here somewhere:
-A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j ACCEPT

#3 - Log the connection attempts (just so I can see who is trying hard to get in and can be blocked at the main router):
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix E-Mail-Connect

#4 - Now, drop the connection attempt.  (P.S. - These comment lines numbered 1-4 don't go in that file.  They're just explanation):
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP

After putting those firewall rules into that file, restart the firewall with "service iptables restart".  You can check to see if they're in the active rules with "iptables -L -n | more".  Look for those rules up at the top of the chain labeled "acctin".

And if you want to see how much they're blocking - use "iptables -L -n -v | more".  That will also give a packet count of what each line has allowed or blocked.  That way - you can see how many connection attempts the firewall rule has blocked.

I've found that this completely locks out the script kiddies that connect via IP Address to send SPAM.  And after a while - the attempts pretty much go away.  Once they find they can't connect to your server on TCP Port 25 any more - they quit trying.

Good luck and shoot back a message if I haven't explained something well enough.

Chuck

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20130306/0ce89737/attachment.html>

More information about the Blueonyx mailing list