Re: Scripting a firewall in front of a SMTP server

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Georgi Alexandrov <georgi.alexandrov@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: Scripting a firewall in front of a SMTP server
Date: Sun, 27 Nov 2005 23:49:05 +0200	[thread overview]
Message-ID: <438A29D1.4090508@gmail.com> (raw)
In-Reply-To: <7834b9550511270828o50b7b429o@mail.gmail.com>

Fernando Martins wrote:

>Hello,
>
>I have a  firewall in front of an Exchange serveur. I can't receive
>any mail from outside. It seems I have a problem with my script. When
>I do a telnet on my server on port 25, from the outside, there is a
>connection but this one is closed before I reach the HELO messages.
>Moreover, when I try to connect friom the firewall to the SMTP server(
>telnet 25)
>I have more or less the message:
>"
>escape caracter is :^]
>Connection closed by foreign host
>"
>
>My network is :
>
>Internet
>|
>|
>|
>Firewall
>|
>|
>SMTP
>
>Internet-Firewall interface: eth0 ip adress xxx.yyy.zzz.ttt
>corresponding to the MX
>
>Firewall-SMTP= eth1
>
>SMTP: 192.168.0.2
>
>
>Any idea?
>Here is the script:
>
>#!/bin/sh
># script /etc/firewall.sh
>echo 1 > /proc/sys/net/ipv4/ip_forward
>echo "Activation du forwarding :[OK]\n"
>if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
>then
>for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
>do
>echo 1 > $filtre
>done
>fi
>
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
>modprobe ip_tables
>modprobe iptable_filter
>modprobe iptable_nat
>
>iptables -F
>iptables -X
>
>iptables -N LOG_DROP
>
>
>iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
>iptables -A LOG_DROP -j DROP
>
>
>iptables -N LOG_ACCEPT
>iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
>iptables -A LOG_ACCEPT -j ACCEPT
>
>iptables -P INPUT DROP
>iptables -P OUTPUT DROP
>iptables -P FORWARD DROP
>
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>
>iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
>--dport 80 -j ACCEPT
>
>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
>80 -j ACCEPT
>
>iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED -p tcp
>--dport 80 -j ACCEPT
>
>iptables -A INPUT -i eth0 -m state --state ESTABLISHED -p tcp --sport
>80 -j ACCEPT
>
>iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 80 -j
>DNAT --to-destination 192.168.0.2:80
>
>iptables -t nat -A PREROUTING -d xxx.yyy.zzz.ttt -p tcp --dport 25 -j
>DNAT --to-destination 192.168.0.2:25
>
>iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT
>
>iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 80 -m
>state --state NEW,ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 80 -m state
>--state NEW,ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -i eth0 -o eth1 -p tcp --destination-port 25 -m
>state --state NEW,ESTABLISHED -j ACCEPT
>iptables -A FORWARD -o eth0 -i eth1 -p tcp --source-port 25 -m state
>--state ESTABLISHED -j ACCEPT
>
>iptables -A FORWARD -j LOG_DROP
>iptables -A INPUT -j LOG_DROP
>iptables -A OUTPUT -j LOG_DROP
>
>
>  
>
I suggest you to start with this - 
http://www.iseclab.net/modules/articles/article.php?id=1
and this - http://iptables-tutorial.frozentux.net/iptables-tutorial.html

good luck

     prev parent reply	other threads:[~2005-11-27 21:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-27 16:28 Scripting a firewall in front of a SMTP server Fernando Martins
2005-11-27 16:36 ` Seferovic Edvin
2005-11-27 17:11 ` Rob Sterenborg
2005-11-27 21:49 ` Georgi Alexandrov [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=438A29D1.4090508@gmail.com \
    --to=georgi.alexandrov@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox