Re: Scripting a firewall in front of a SMTP server

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Georgi Alexandrov <georgi.alexandrov@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: Scripting a firewall in front of a SMTP server
Date: Sun, 27 Nov 2005 23:49:05 +0200	[thread overview]
Message-ID: <438A29D1.4090508@gmail.com> (raw)
In-Reply-To: <7834b9550511270828o50b7b429o@mail.gmail.com>

Fernando Martins wrote:

>Hello,
>
>I have a  firewall in front of an Exchange serveur. I can't receive
>any mail from outside. It seems I have a problem with my script. When
>I do a telnet on my server on port 25, from the outside, there is a
>connection but this one is closed before I reach the HELO messages.
>Moreover, when I try to connect friom the firewall to the SMTP server(
>telnet 25)
>I have more or less the message:
>"
>escape caracter is :^]
>Connection closed by foreign host
>"
>
>My network is :
>
>Internet
>|
>|
>|
>Firewall
>|
>|
>SMTP
>
>Internet-Firewall interface: eth0 ip adress xxx.yyy.zzz.ttt
>corresponding to the MX
>
>Firewall-SMTP= eth1
>
>SMTP: 192.168.0.2
>
>
>Any idea?
>Here is the script:
>
>#!/bin/sh
># script /etc/firewall.sh
>echo 1 > /proc/sys/net/ipv4/ip_forward
>echo "Activation du forwarding :[OK]\n"
>if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
>then
>for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
>do
>echo 1 > $filtre
>done
>fi
>
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
>modprobe ip_tables
>modprobe iptable_filter
>modprobe iptable_nat
>
>iptables -F
>iptables -X
>
>iptables -N LOG_DROP
>
>
>iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
>iptables -A LOG_DROP -j DROP
>
>
>iptables -N LOG_ACCEPT
>iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
>iptables -A LOG_ACCEPT -j ACCEPT
>
>iptables -P INPUT DROP
>iptables -P OUTPUT DROP
>iptables -P FORWARD DROP
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
>--dport 80 -j ACCEPT
>
>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
>80 -j ACCEPT
>
>iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
>--dport 80 -j ACCEPT
>
>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
>80 -j ACCEPT
>
>iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 80 -j
>DNAT --to-destination 192.168.0.2:80
>
>iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 25 -j
>DNAT --to-destination 192.168.0.2:25
>
>iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT
>
>iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 80 -m
>state --state NEW,ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 80 -m state
>--state NEW,ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 25 -m
>state --state NEW,ESTABLISHED -j ACCEPT
>iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 25 -m state
>--state ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -j LOG_DROP
>iptables -A INPUT -j LOG_DROP
>iptables -A OUTPUT -j LOG_DROP
>
>
>  
>
I suggest you to start with this - 
http://www.iseclab.net/modules/articles/article.php?id=1
and this - http://iptables-tutorial.frozentux.net/iptables-tutorial.html

good luck

     prev parent reply	other threads:[~2005-11-27 21:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-27 16:28 Scripting a firewall in front of a SMTP server Fernando Martins
2005-11-27 16:36 ` Seferovic Edvin
2005-11-27 17:11 ` Rob Sterenborg
2005-11-27 21:49 ` Georgi Alexandrov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=438A29D1.4090508@gmail.com \
    --to=georgi.alexandrov@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.