Blocking Internal Users from Sending Mail Through Your Firewall

Previous page
Table of content
Next page


The following rule assumes that you have a fairly loose NAT/MASQUERADE policy on your firewall and have lately been posed with the problem of blocking your internal network users from sending mail out through your firewall. This could be because of a corporate information security policy change or perhaps more likely to prevent the spread of viruses and worms to systems outside of your network.

In our first example, the firewall Host-A protects the internal network, 10.10.10.0/24. Hosts on the internal network use the host, Host-B.domain.com, which is located on the Internet for mail. Connections to this server will be allowed; all other connections will be denied.

Figure 14.3. Demonstration of outbound SMTP filter rules.


 # where eth0 is our external interface (Internet) # where eth1 is our internal interface (10.10.10.0/24) $IPTABLES -A FORWARD -p tcp dport 25 -d host-b.domain.com -j ACCEPT $IPTABLES -A FORWARD -p tcp dport 25  -j REJECT reject-with icmp-net-prohibited

First note that we apply this to FORWARD. This is because this applies to traffic passing through the firewall. Applying this same rule to OUTPUT would only affect mail originating on the firewall itself. Also note that we apply an ALLOW rule for our external mail server, Host-B.domain.com. We reject connections with the ICMP message icmp-net-prohibited for diagnostics purposes.

This next configuration assumes that the mail server, Host-B (192.168.1.25), exists on a DMZ segment (192.168.1.0/24) off the firewall.

 # where eth0 is our external interface (Internet) # where eth1 is our internal interface (10.10.10.0/24) $IPTABLES -A FORWARD -p tcp dport 25  \       -s ! 192.168.1.25 -j REJECT \       reject-with icmp-net-prohibited

This final example is included for convenience, and while we do not recommend running your SMTP server along side your regular internal hosts, we recognize that sometimes security has nothing to do with it (it's still bad!). This configuration assumes the internal mail server, Host-B, is at the IP address 10.10.10.25:

 $IPTABLES -A FORWARD -p tcp dport 25 \       -s ! 10.10.10.25 -j REJECT \       reject-with icmp-net-prohibited.

Note

This rule is not going to help you for users or malware sending mail out through other means, such as proxy servers on the other side of your firewall, exploitable web scripts, and so on.


    Previous page
    Table of content
    Next page
    Troubleshooting Linux Firewalls
    Troubleshooting Linux Firewalls
    ISBN: 321227239
    EAN: N/A
    Year: 2004
    Pages: 169
    BUY ON AMAZON
    FileMaker Pro 8: The Missing Manual
    C++ GUI Programming with Qt 3
    The Java Tutorial: A Short Course on the Basics, 4th Edition
    Service-Oriented Architecture (SOA): Concepts, Technology, and Design
    Mastering Delphi 7
    Professional Struts Applications: Building Web Sites with Struts ObjectRelational Bridge, Lucene, and Velocity (Experts Voice)
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy