From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Rejecting Ident (Auth) requests...
Date: Mon, 02 May 2005 02:28:13 -0500 [thread overview]
Message-ID: <4275D68D.8040207@riverviewtech.net> (raw)
There was some talk on the list a while back about the merit of DROPing verses REJECTing Ident (Auth) requests at the firewall in response to outbound SMTP traffic. I responded to the post (https://lists.netfilter.org/pipermail/netfilter/2005-April/060091.html) stating that I thought it would be possible to write some rules that would watch the outbound SMTP traffic and add entries to a recent list that would subsequently be checked by inbound Ident (Auth) traffic and REJECTed if it was on the recent list or silently DROPed if it was not on the recent list. Well I have just had the time to play with this and I got it working. I wanted to share this with the list for any one to benefit from. Sorry if this is not a common practice her. I think it would be a good idea, if not let me know and I'll not do such in the future.
Below are the iptables rules that I used to implement this feature.
iptables -t filter -A INPUT -i $INet -d $INet_IP -p tcp --dport 113 -m recent --name Outbound_SMTP --rcheck --seconds 3600 -j REJECT
iptables -t filter -A FORWARD -i $LAN -o $INet -s $LAN_Subnet -p tcp --dport 25 -m recent --name Outbound_SMTP --set --rdest -j ACCEPT
iptables -t filter -A FORWARD -i $LAN -o $INet -s $LAN_Subnet -p tcp --dport 587 -m recent --name Outbound_SMTP --set --rdest -j ACCEPT
iptables -t filter -A OUTPUT -o $INet -s $INet_IP -p tcp --dport 25 -m recent --name Outbound_SMTP --set --rdest -j ACCEPT
iptables -t filter -A OUTPUT -o $INet -s $INet_IP -p tcp --dport 25 -m recent --name Outbound_SMTP --set --rdest -j ACCEPT
The first rule is what will match against the Outbound_SMTP recent list to see if traffic Ident (Auth) traffic should be rejected. If the traffic is not explicitly REJECTed it will continue traversing the chains(s) and have the default policy applied to it if there is not some other rule that explicitly acts on it.
The second and third rules are what add the destination of the SMTP / source of Ident (Auth) traffic to the Outbound_SMTP recent list for both port 25 and the alternant MUA submission port for LAN generated traffic.
The fourth and fifth rules are what add the destination of the SMTP / source of Ident (Auth) traffic to the Outbound_SMTP recent list for both port 25 and the alternant MUA submission port for locally generated (on the firewall / router) traffic.
Any comments or questions are welcome. :)
Grant. . . .
reply other threads:[~2005-05-02 7:28 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4275D68D.8040207@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox