Scripting a firewall in front of a SMTP server

All of lore.kernel.org
 help / color / mirror / Atom feed

* Scripting a firewall in front of a SMTP server
@ 2005-11-27 16:28 Fernando Martins
  2005-11-27 16:36 ` Seferovic Edvin
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Fernando Martins @ 2005-11-27 16:28 UTC (permalink / raw)
  To: netfilter

Hello,

I have a  firewall in front of an Exchange serveur. I can't receive
any mail from outside. It seems I have a problem with my script. When
I do a telnet on my server on port 25, from the outside, there is a
connection but this one is closed before I reach the HELO messages.
Moreover, when I try to connect friom the firewall to the SMTP server(
telnet 25)
I have more or less the message:
"
escape caracter is :^]
Connection closed by foreign host
"

My network is :

Internet
|
|
|
Firewall
|
|
SMTP

Internet-Firewall interface: eth0 ip adress xxx.yyy.zzz.ttt
corresponding to the MX

Firewall-SMTP= eth1

SMTP: 192.168.0.2


Any idea?
Here is the script:

#!/bin/sh
# script /etc/firewall.sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Activation du forwarding :[OK]\n"
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat

iptables -F
iptables -X

iptables -N LOG_DROP


iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP


iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
--dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
80 -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
--dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
80 -j ACCEPT

iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 80 -j
DNAT --to-destination 192.168.0.2:80

iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 25 -j
DNAT --to-destination 192.168.0.2:25

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 80 -m
state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 80 -m state
--state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 25 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 25 -m state
--state ESTABLISHED -j ACCEPT

iptables -A FORWARD -j LOG_DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP


^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: Scripting a firewall in front of a SMTP server
  2005-11-27 16:28 Scripting a firewall in front of a SMTP server Fernando Martins
@ 2005-11-27 16:36 ` Seferovic Edvin
  2005-11-27 17:11 ` Rob Sterenborg
  2005-11-27 21:49 ` Georgi Alexandrov
  2 siblings, 0 replies; 4+ messages in thread
From: Seferovic Edvin @ 2005-11-27 16:36 UTC (permalink / raw)
  To: netfilter

Hi,

why do you need this line?

iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport 80 -j
ACCEPT

Regards,

Edvin



-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Fernando Martins
Sent: Sonntag, 27. November 2005 17:29
To: netfilter@lists.netfilter.org
Subject: Scripting a firewall in front of a SMTP server

Hello,

I have a  firewall in front of an Exchange serveur. I can't receive
any mail from outside. It seems I have a problem with my script. When
I do a telnet on my server on port 25, from the outside, there is a
connection but this one is closed before I reach the HELO messages.
Moreover, when I try to connect friom the firewall to the SMTP server(
telnet 25)
I have more or less the message:
"
escape caracter is :^]
Connection closed by foreign host
"

My network is :

Internet
|
|
|
Firewall
|
|
SMTP

Internet-Firewall interface: eth0 ip adress xxx.yyy.zzz.ttt
corresponding to the MX

Firewall-SMTP= eth1

SMTP: 192.168.0.2


Any idea?
Here is the script:

#!/bin/sh
# script /etc/firewall.sh
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Activation du forwarding :[OK]\n"
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat

iptables -F
iptables -X

iptables -N LOG_DROP


iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP


iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
--dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
80 -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
--dport 80 -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
80 -j ACCEPT

iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 80 -j
DNAT --to-destination 192.168.0.2:80

iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 25 -j
DNAT --to-destination 192.168.0.2:25

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 80 -m
state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 80 -m state
--state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 25 -m
state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 25 -m state
--state ESTABLISHED -j ACCEPT

iptables -A FORWARD -j LOG_DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP




^ permalink raw reply	[flat|nested] 4+ messages in thread

* RE: Scripting a firewall in front of a SMTP server
  2005-11-27 16:28 Scripting a firewall in front of a SMTP server Fernando Martins
  2005-11-27 16:36 ` Seferovic Edvin
@ 2005-11-27 17:11 ` Rob Sterenborg
  2005-11-27 21:49 ` Georgi Alexandrov
  2 siblings, 0 replies; 4+ messages in thread
From: Rob Sterenborg @ 2005-11-27 17:11 UTC (permalink / raw)
  To: netfilter

> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP

You're making it harder for yourself setting the policy of OUTPUT to
DROP.
You can always do that when your script is working, if you still want
to.

> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
> --dport 80 -j ACCEPT 
> 
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
> 80 -j ACCEPT 
> 
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
> --dport 80 -j ACCEPT 
> 
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
> 80 -j ACCEPT 

Get rid of the 4 rules above because you're going to DNAT port 80.
Forwarded http traffic will hit the FORWARD chain, not INPUT or OUTPUT.
See also :
http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSING
OFTABLES

> iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.2:80
> 
> iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 25 -j
> DNAT --to-destination 192.168.0.2:25
> 
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT
> 
> iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 80 -m
> state --state NEW,ESTABLISHED -j ACCEPT
> 
> iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 80 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> 
> iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 25 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 25 -m state
> --state ESTABLISHED -j ACCEPT 

First, you allow packets to be forwarded from eth0 <-> eth1. No state
matching, so any state matches.
Next, you are trying to match packets with state. They have already
matched.

Try this (only forwarding here, the rest you already have) :

echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -m state --state NEW -i eth0 -o eth1 \
  -d 192.168.0.2 -p tcp --dport 80 -j ACCEPT

iptables -A FORWARD -m state --state NEW -i eth0 -o eth1 \
  -d 192.168.0.2 -p tcp --dport 25 -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -d xxx.yyy.zzz.ttt \
  -p tcp --dport 80 -j DNAT --to 192.168.0.2:80

iptables -t nat -A PREROUTING -i eth0 -d xxx.yyy.zzz.ttt \
  -p tcp --dport 25 -j DNAT --to 192.168.0.2:25

echo 1 > /proc/sys/net/ipv4/ip_forward


Gr,
Rob



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Scripting a firewall in front of a SMTP server
  2005-11-27 16:28 Scripting a firewall in front of a SMTP server Fernando Martins
  2005-11-27 16:36 ` Seferovic Edvin
  2005-11-27 17:11 ` Rob Sterenborg
@ 2005-11-27 21:49 ` Georgi Alexandrov
  2 siblings, 0 replies; 4+ messages in thread
From: Georgi Alexandrov @ 2005-11-27 21:49 UTC (permalink / raw)
  To: netfilter

Fernando Martins wrote:

>Hello,
>
>I have a  firewall in front of an Exchange serveur. I can't receive
>any mail from outside. It seems I have a problem with my script. When
>I do a telnet on my server on port 25, from the outside, there is a
>connection but this one is closed before I reach the HELO messages.
>Moreover, when I try to connect friom the firewall to the SMTP server(
>telnet 25)
>I have more or less the message:
>"
>escape caracter is :^]
>Connection closed by foreign host
>"
>
>My network is :
>
>Internet
>|
>|
>|
>Firewall
>|
>|
>SMTP
>
>Internet-Firewall interface: eth0 ip adress xxx.yyy.zzz.ttt
>corresponding to the MX
>
>Firewall-SMTP= eth1
>
>SMTP: 192.168.0.2
>
>
>Any idea?
>Here is the script:
>
>#!/bin/sh
># script /etc/firewall.sh
>echo 1 > /proc/sys/net/ipv4/ip_forward
>echo "Activation du forwarding :[OK]\n"
>if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
>then
>for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
>do
>echo 1 > $filtre
>done
>fi
>
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
>modprobe ip_tables
>modprobe iptable_filter
>modprobe iptable_nat
>
>iptables -F
>iptables -X
>
>iptables -N LOG_DROP
>
>
>iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
>iptables -A LOG_DROP -j DROP
>
>
>iptables -N LOG_ACCEPT
>iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
>iptables -A LOG_ACCEPT -j ACCEPT
>
>iptables -P INPUT DROP
>iptables -P OUTPUT DROP
>iptables -P FORWARD DROP
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
>--dport 80 -j ACCEPT
>
>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
>80 -j ACCEPT
>
>iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
>--dport 80 -j ACCEPT
>
>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
>80 -j ACCEPT
>
>iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 80 -j
>DNAT --to-destination 192.168.0.2:80
>
>iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 25 -j
>DNAT --to-destination 192.168.0.2:25
>
>iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT
>
>iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 80 -m
>state --state NEW,ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 80 -m state
>--state NEW,ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 25 -m
>state --state NEW,ESTABLISHED -j ACCEPT
>iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 25 -m state
>--state ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -j LOG_DROP
>iptables -A INPUT -j LOG_DROP
>iptables -A OUTPUT -j LOG_DROP
>
>
>  
>
I suggest you to start with this - 
http://www.iseclab.net/modules/articles/article.php?id=1
and this - http://iptables-tutorial.frozentux.net/iptables-tutorial.html

good luck


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2005-11-27 21:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-27 16:28 Scripting a firewall in front of a SMTP server Fernando Martins
2005-11-27 16:36 ` Seferovic Edvin
2005-11-27 17:11 ` Rob Sterenborg
2005-11-27 21:49 ` Georgi Alexandrov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.