Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[ads nat]

Hi,
I will elaborate my problem.

I am looking for solution for following problem.

I have A Linux interent gateway server having 3 NIC
cards 
1) eth0 connected to internet.
2) eth1 connected to private LAN (192.168.0.1.)
3) eth2 connected to DMZ server.(10.0.0.1)

DMZ server is with one LAN card (eth0 : 10.0.0.2)

On DMZ, DNS, Web and sendmail are installed.
Iptables prerouting rules are set on Gateway server so
that users from LAN 192.168.0.0 can acess web as well
as mail server.

Now I want to allow LAN users to send emails to each
other on LAN but want to allow some LAN users to send
email to Internet(Outside world).
Is there any way using Linux iptables firewall to
acieve this requirement.

thanks for support.


		
_______________________________
Do you Yahoo!?
Express yourself with Y! Messenger! Free. Download now. 
http://messenger.yahoo.com

Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Jason Opperisano]

On Wed, Oct 27, 2004 at 07:58:28AM -0700, ads nat wrote:
> Hi,
> I will elaborate my problem.
> 
> I am looking for solution for following problem.
> 
> I have A Linux interent gateway server having 3 NIC
> cards 
> 1) eth0 connected to internet.
> 2) eth1 connected to private LAN (192.168.0.1.)
> 3) eth2 connected to DMZ server.(10.0.0.1)
> 
> DMZ server is with one LAN card (eth0 : 10.0.0.2)
> 
> On DMZ, DNS, Web and sendmail are installed.
> Iptables prerouting rules are set on Gateway server so
> that users from LAN 192.168.0.0 can acess web as well
> as mail server.
> 
> Now I want to allow LAN users to send emails to each
> other on LAN but want to allow some LAN users to send
> email to Internet(Outside world).
> Is there any way using Linux iptables firewall to
> acieve this requirement.
> 
> thanks for support.

  # allow all LAN users to connect to DMZ mail server
  iptables -A FORWARD -i eth1 -o eth2 -p tcp --syn --dport 25 \
    -s 192.168.0.0/24 -d 10.0.0.2 -j ACCEPT

  # allow special machine to send mail directly to internet
  iptables -A FORWARD -i eth1 -o eth0 -p tcp --syn --dport 25 \
    -s $special_machine_IP -j ACCEPT

assuming you're running a "deny all, allow specific" type rulebase,
you're done.  if you're running an "allow all" rulebase, you'll need to
add:

  iptables -A FORWARD -i eth1 -p tcp --syn --dport 25 -j REJECT

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Aleksandar Milivojevic]

ads nat wrote:
> Now I want to allow LAN users to send emails to each
> other on LAN but want to allow some LAN users to send
> email to Internet(Outside world).
> Is there any way using Linux iptables firewall to
> acieve this requirement.

I will assume that LAN users are allowed to connect to mail server only, 
and not to outside world.  Controlling this on Sendmail level would be 
much more simpler and efficient.  Assuming you are using Sendmail as 
your MTA.  Netfilter isn't suited for this, because there's no way for 
it to know if SMTP connection between client (LAN user) and server is 
delivery of email addressed to another LAN user, or to somebody at the 
outside.  Also, Sendmail will take care of generating appropriate error 
messages back to the users, while Netfilter would simply block the 
traffic without any explanation to the user what happened.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

RE: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Gary Smith]

You would still need netfilter to prevent other users from using the internet as a back door.  For example, financial firms must log all incoming and outgoing smtp traffic.  To accomplish this you need to ensure that your users cannot access external SMTP servers otherwise they could sent out unlogged messages.  We have done this in the past for a few companies.  This forces the user to use the sendmail server for their email.  I think this is the goal of the requester.
 
Gary Smith
 
 

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Aleksandar Milivojevic
Sent: Wed 10/27/2004 11:20 AM
To: netfilter@lists.netfilter.org
Subject: Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.



ads nat wrote:
> Now I want to allow LAN users to send emails to each
> other on LAN but want to allow some LAN users to send
> email to Internet(Outside world).
> Is there any way using Linux iptables firewall to
> acieve this requirement.

I will assume that LAN users are allowed to connect to mail server only,
and not to outside world.  Controlling this on Sendmail level would be
much more simpler and efficient.  Assuming you are using Sendmail as
your MTA.  Netfilter isn't suited for this, because there's no way for
it to know if SMTP connection between client (LAN user) and server is
delivery of email addressed to another LAN user, or to somebody at the
outside.  Also, Sendmail will take care of generating appropriate error
messages back to the users, while Netfilter would simply block the
traffic without any explanation to the user what happened.

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Aleksandar Milivojevic]

Gary Smith wrote:
> You would still need netfilter to prevent other users from using the internet as a back door.  For example, financial firms must log all incoming and outgoing smtp traffic.  To accomplish this you need to ensure that your users cannot access external SMTP servers otherwise they could sent out unlogged messages.  We have done this in the past for a few companies.  This forces the user to use the sendmail server for their email.  I think this is the goal of the requester.

Which is exactly what my first sentence said: "I will assume that LAN 
users are allowed to connect to mail server only, and not to outside 
world".  BTW, this is something that should be done by default. 
Financial firm or not.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

RE: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Gary Smith]

True...  Sometimes I should read it twice... :)
 
Gary

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Aleksandar Milivojevic
Sent: Wed 10/27/2004 12:16 PM
To: netfilter@lists.netfilter.org
Subject: Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.



Gary Smith wrote:
> You would still need netfilter to prevent other users from using the internet as a back door.  For example, financial firms must log all incoming and outgoing smtp traffic.  To accomplish this you need to ensure that your users cannot access external SMTP servers otherwise they could sent out unlogged messages.  We have done this in the past for a few companies.  This forces the user to use the sendmail server for their email.  I think this is the goal of the requester.

Which is exactly what my first sentence said: "I will assume that LAN
users are allowed to connect to mail server only, and not to outside
world".  BTW, this is something that should be done by default.
Financial firm or not.

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[ads nat]

I tried to find out sendmail solution for the problem
but could not find any article or mailing list topic
for the subject. Can you please guide me how to use
sendmail to only allow certain LAN users to send mail
to outside world and others will be rstricted to LAN
users onle. 
Thanks for support.


--- Aleksandar Milivojevic <amilivojevic@pbl.ca>
wrote:

> ads nat wrote:
> > Now I want to allow LAN users to send emails to
> each
> > other on LAN but want to allow some LAN users to
> send
> > email to Internet(Outside world).
> > Is there any way using Linux iptables firewall to
> > acieve this requirement.
> 
> I will assume that LAN users are allowed to connect
> to mail server only, 
> and not to outside world.  Controlling this on
> Sendmail level would be 
> much more simpler and efficient.  Assuming you are
> using Sendmail as 
> your MTA.  Netfilter isn't suited for this, because
> there's no way for 
> it to know if SMTP connection between client (LAN
> user) and server is 
> delivery of email addressed to another LAN user, or
> to somebody at the 
> outside.  Also, Sendmail will take care of
> generating appropriate error 
> messages back to the users, while Netfilter would
> simply block the 
> traffic without any explanation to the user what
> happened.
> 
> -- 
> Aleksandar Milivojevic <amilivojevic@pbl.ca>   
> Pollard Banknote Limited
> Systems Administrator                           1499
> Buffalo Place
> Tel: (204) 474-2323 ext 276                    
> Winnipeg, MB  R3T 1L7
> 
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Jason Opperisano]

On Thu, Oct 28, 2004 at 08:35:41AM -0700, ads nat wrote:
> I tried to find out sendmail solution for the problem
> but could not find any article or mailing list topic
> for the subject. Can you please guide me how to use
> sendmail to only allow certain LAN users to send mail
> to outside world and others will be rstricted to LAN
> users onle. 
> Thanks for support.

i dunno...possibly a sendmail list?

go to:

  http://marc.theaimsgroup.com/

click on the 'sendmail' list.

search the bodies for what you want (i typed "restrict user send")

it took me about 4 seconds to find a link to:

  http://www.sendmail.org/~ca/email/restrict.html

which details:  "This example ruleset restricts local users from sending
mail to external recipients."


*_man_* do i need some coffee...

-j

-- 
Jason Opperisano <opie@817west.com>

Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user.

[Aleksandar Milivojevic]

ads nat wrote:
> I tried to find out sendmail solution for the problem
> but could not find any article or mailing list topic
> for the subject. Can you please guide me how to use
> sendmail to only allow certain LAN users to send mail
> to outside world and others will be rstricted to LAN
> users onle. 

Check this page.  Links under "Trying to enforce restrictions" will give 
you some hints on how it can be done:

http://www.sendmail.org/~ca/email/misc.html

Also, you might consider comp.mail.sendmail newsgroup, and Sendmail 
mailing list.  You will find many experts there to help you out.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7