On 3/6/2013 3:05 PM, Chuck Tetlow wrote:
> Hi all,
> I have a blue quartz 5100 still running the old
> nuonce/solarspeed av/spam package. It no longer
> updates sa and clam ect... With the garbage being
> sent it no longer has much of a chance protecting
> mail as good as the current av/spam package does.
> BTW, the current package works GREAT!
>
> Using 2 servers one the MX points to with the av/spam
> package on it (server 1 BO5601). It then scans the mail and
> sends it to the BQ5100 server 2.
>
> My question is, how do I stop mail from by-passing
> the MX records and go around server 1 and directly
> to server 2?
>
> If i use iptables to block port 25 for all but
> one ip address local mail, users mail admin root ect..
> quits sending on server 1.
>
> # iptables -A INPUT -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
> or
> # iptables -A acctin -s ! 1.2.3.4 -p tcp --dport 25 -j REJECT
>
> What other rule would I use to keep the localhost and domains
> and the internals happy on server 2 and only allow mail from
> server 1 and no where else or a more permanent better way to
> do so.
>
> TIA
> David
Hi David,
We have a similar situation, with a external mail filtering server
running Roaring Penguin CanIt. And we also had a problem with the
script-kiddies sending crap directly to the end-servers, because they
didn't use the MX records for the domains - they just send their crap
to any machine that responds on TCP port 25.
So I set up some IPTables filtering rules of my own. I put these
rules in the /etc/sysconfig/iptables file so they're loaded
automatically. While I know the file has a warning in it about manual
changes being lost - I haven't had that happen to me. And if it did
start - I'd just lock the file with the immutable bit (chattr +i
/etc/sysconfig/iptables).
So the rules in each end-server to keep out everyone but my SPAM
filtering server, and other local company servers. These go up near
the top of that /etc/sysconfig/iptables file, right under the line "-A
OUTPUT - j acctout":
#1 - Keep your server talking to itself:
-A acctin -d 127.0.0.1/32 -j ACCEPT
-A acctout -s 127.0.0.1/32 -j ACCEPT
#2 - Allow in connections from any inside networks you have, or any
Private Address Space you are using. Be sure your filtering server
falls in here somewhere:
-A acctin -m state --state NEW -p tcp -s 1.2.3.4/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 4.3.2.1/24 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 10.0.0.0/8 --dport 25 -j ACCEPT
-A acctin -m state --state NEW -p tcp -s 172.16.0.0/14 --dport 25 -j
ACCEPT
-A acctin -m state --state NEW -p tcp -s 192.168.0.0/16 --dport 25 -j
ACCEPT
#3 - Log the connection attempts (just so I can see who is tryinghard
to get in and can be blocked at the main router):
-A acctin -m state --state NEW -p tcp --dport 25 -j LOG --log-prefix
E-Mail-Connect
#4 - Now, drop the connection attempt. (P.S. - These comment lines
numbered 1-4 don't go in that file. They're just explanation):
-A acctin -m state --state NEW -p tcp --dport 25 -j DROP
After putting those firewall rules into that file, restart the
firewall with "service iptables restart". You can check to see if
they're in the active rules with "iptables -L -n| more". Look for
those rules upat the top of the chain labeled "acctin".
And if you want to seehow much they're blocking - use "iptables -L -n
-v | more". That will also give a packet count of what each line has
allowed or blocked. That way - you can see how many connection
attempts the firewall rule has blocked.
I've found that this completely locks out the script kiddies that
connect via IP Address to send SPAM. And after a while - the attempts
pretty much go away. Once they find they can't connect toyour server
on TCP Port 25 any more - they quit trying.
Good luck and shoot back a message if I haven't explained something
well enough.
Chuck
Fantastic. Will try that.
Thank you Gerald and Chuck
David
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx