How to block sending mail from local network.

How to block sending mail from local network.

[David Harel]

Hi all,

I have a small local network and a Linux machine as a gateway to the 
Internet. On the Linux machine I started iptables using the script from 
Oscar Andreasson's tutorial at: 
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Using his script: rc.DHCP.firewall.
This script implements masquerading service to the internal network and 
provides firewall security.

The problem started when I was suspected of having a MyDoom virus or 
some other worm that sends unsolicited messages. Most likely this can 
happened to any of the machines on the internal network.

In Oscar's script the local network is treated liberally allowing them 
to everything assuming that illegal activity will be blocked elsewhere 
by the firewall. This is done using the command:
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
where LAN_IFACE is eth0 and LAN_IP_RANGE is 10.0.0/24 (of course 
IPTABLES is /usr/sbin/iptables)

I want to block smtp operations from the local network so the 
viruses/worms will be blocked.

I tried a command:
$IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport smtp 
-j DROP
but it did nothing.

What can I do to block those messages sending attempts?

-- 
Thanks.

David Harel,

==================================

Home office +972 4 6921986
Fax:        +972 4 6921986
Cellular:   +972 54 534502
Snail Mail: Amuka
            D.N Merom Hagalil
            13802
            Israel
Email:      hareldvd@ergolight-sw.com

Re: How to block sending mail from local network.

[Sven Schuster]

[-- Attachment #1: Type: text/plain, Size: 857 bytes --]


Hi David, 

On Sat, Feb 07, 2004 at 12:51:33PM +0200, David Harel told us:
> Hi all,
> 
> 
> I tried a command:
> $IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport smtp 
> -j DROP
> but it did nothing.

This will only stop traffic generated on your gateway. To stop traffic
going _through_ the gateway you will need to put this rule in the
FORWARD rule instead of OUTPUT, so replace OUTPUT with FORWARD, you
might try something like this:

$IPTABLES -A FORWARD -p tcp --dprt 25 -i $LAN_IFACE -o $EXT_IFACE \
	-j REJECT --reject-with tcp-reset

HTH

Sven

> 
> What can I do to block those messages sending attempts?
> 
> -- 
> Thanks.
> 
> David Harel,
> 

-- 
Linux zion 2.6.3-rc1 #1 Sat Feb 7 19:08:35 CET 2004 i686 athlon i386 GNU/Linux
 21:11:01  up 28 min,  2 users,  load average: 0.12, 0.06, 0.05

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

RE: How to block sending mail from local network.

[Rob Sterenborg]

> I want to block smtp operations from the local network so the 
> viruses/worms will be blocked.
> 
> I tried a command:
> $IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE 
> --dport smtp 
> -j DROP
> but it did nothing.

No, the INPUT and OUTPUT chains are for filtering the local machine : de
firewall itself.
If you want to block clients, you should use the FORWARD chain.

You could use a rule like this one :
$IPTABLES -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -p tcp --dport 25 -j
DROP
or
$IPTABLES -A FORWARD -i $LAN_IFACE -s $LAN_IP_RANGE -p tcp --dport 25 -j
REJECT --reject-with tcp-reset

I suppose you're running your own mailserver ? Otherwise none of your
clients are able to send email.


Gr,
Rob

Re: How to block sending mail from local network.

[David Harel]

Thanks,

This works great.

Sven Schuster wrote:

>Hi David, 
>
>On Sat, Feb 07, 2004 at 12:51:33PM +0200, David Harel told us:
>  
>
>>Hi all,
>>
>>
>>I tried a command:
>>$IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport smtp 
>>-j DROP
>>but it did nothing.
>>    
>>
>
>This will only stop traffic generated on your gateway. To stop traffic
>going _through_ the gateway you will need to put this rule in the
>FORWARD rule instead of OUTPUT, so replace OUTPUT with FORWARD, you
>might try something like this:
>
>$IPTABLES -A FORWARD -p tcp --dprt 25 -i $LAN_IFACE -o $EXT_IFACE \
>	-j REJECT --reject-with tcp-reset
>
>HTH
>
>Sven
>
>  
>
>>What can I do to block those messages sending attempts?
>>
>>-- 
>>Thanks.
>>
>>David Harel,
>>
>>    
>>
>
>  
>

-- 
Thanks.

David Harel,

==================================

Home office +972 4 6921986
Fax:        +972 4 6921986
Cellular:   +972 54 534502
Snail Mail: Amuka
            D.N Merom Hagalil
            13802
            Israel
Email:      hareldvd@ergolight-sw.com

Re: How to block sending mail from local network.

[Tarek W.]

use filter's FORWARD instead of OUTPUT and u probably want to use -I
instead of -A

On Sat, 2004-02-07 at 12:51, David Harel wrote:
> Hi all,
> 
> I have a small local network and a Linux machine as a gateway to the 
> Internet. On the Linux machine I started iptables using the script from 
> Oscar Andreasson's tutorial at: 
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> Using his script: rc.DHCP.firewall.
> This script implements masquerading service to the internal network and 
> provides firewall security.
> 
> The problem started when I was suspected of having a MyDoom virus or 
> some other worm that sends unsolicited messages. Most likely this can 
> happened to any of the machines on the internal network.
> 
> In Oscar's script the local network is treated liberally allowing them 
> to everything assuming that illegal activity will be blocked elsewhere 
> by the firewall. This is done using the command:
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
> where LAN_IFACE is eth0 and LAN_IP_RANGE is 10.0.0/24 (of course 
> IPTABLES is /usr/sbin/iptables)
> 
> I want to block smtp operations from the local network so the 
> viruses/worms will be blocked.
> 
> I tried a command:
> $IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport smtp 
> -j DROP
> but it did nothing.
> 
> What can I do to block those messages sending attempts?

Re: How to block sending mail from local network.

[Alex Satrapa]

David Harel wrote:
> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT

This only means that all machines on the local network can make connections to this machine itself.

If this machine is a router, and you want it to block outgoing SMTP connections, first identify which machine on your network is the authorised SMTP relay. If it's not the firewall itself, then you need to add a rule to accept forwarded packets for the SMTP relay, and block everyone else.  You'll need two rules like this:

$IPTABLES -I FORWARD -p TCP -i $LAN_IFACE -s $SMTP_RELAY -j ACCEPT
$IPTABLES -I FORWARD -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE -j REJECT --reject-with icmp-net-prohibited

I use "icmp-net-prohibited" since if someone is monitoring SMTP attempts, they'll see the ICMP packet telling them exactly why they can't make the connection. An alternative like -j DROP would mean the SMTP connections disappear into nothingness, and give the troubleshooter no hints as to what the problem is.

> I tried a command:
> $IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport smtp 
> -j DROP
> but it did nothing.

This only prohibits this machine from making SMTP connections to other hosts on the local network.

The INPUT chain is used for connections to this host, OUTPUT is used for connections from this host, while FORWARD is used for packets being forwarded by this host on behalf of other machines.

HTH
Alex Satrapa

RE: How to block sending mail from local network.

[Mark Weaver]

> I tried a command:
> $IPTABLES -A OUTPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport smtp
> -j DROP
> but it did nothing.
You want the FORWARD chain.  INPUT/OUPUT only apply to the linux box itself.
See the HOWTOs for more information.