using iptables to block OUTBOUND port 25?

Using linux as a gateway router, how does one do this? I'd like to
prevent internal computers from making outbound port 25 connections,
but still allow them to the linux box on port 25.

So, I have eth0 as the outside network and eth1 as the inside
network. Computers on the eth1 network need to be able to hit the
linux box on port 25, but those computers should NOT be allowed to go
out to the internet on port 25. This is the only port I want to block
for now.

eth0: public ip...5.6.7.8/255.255.252.0
eth1: internal ips: 172.16.0.0/255.255.255.0

deja3-(E-Mail Removed) wrote:
> Using linux as a gateway router, how does one do this? I'd like to
> prevent internal computers from making outbound port 25 connections,
> but still allow them to the linux box on port 25.

Assuming (but not stated) that you want your linux box to be able to
make outbound port 25 connections, you just need this:

iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT


Alternatively you can do interesting things like forcing everything
that attempts to talk to port 25 to actually end up talking to your own
port 25:

iptables -t nat A PREROUTING -i eth1 -p tcp --dport 25 -j REDIRECT

You need to be careful of this (redirect), though, and bear in mind
that it will break any attempt by a client to use Authenticated SMTP
to a remote server. I do it on my home network so that I have record of
all outbound email. However, I don't block outbound Authenticated SMTP
on port 587, nor do I block SMTP/SSL on port 465. YMMV.

Chris

On Feb 16, 7:36 am, Chris Davies <chris-use...@roaima.co.uk> wrote:
> deja3-u...@bitrealm.com wrote:
> > Using linux as a gateway router, how does one do this? I'd like to
> > prevent internal computers from making outbound port 25 connections,
> > but still allow them to the linux box on port 25.
>
> Assuming (but not stated) that you want your linux box to be able to
> make outbound port 25 connections, you just need this:
>
> iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT
>
> Alternatively you can do interesting things like forcing everything
> that attempts to talk to port 25 to actually end up talking to your own
> port 25:
>
> iptables -t nat A PREROUTING -i eth1 -p tcp --dport 25 -j REDIRECT
>
> You need to be careful of this (redirect), though, and bear in mind
> that it will break any attempt by a client to use Authenticated SMTP
> to a remote server. I do it on my home network so that I have record of
> all outbound email. However, I don't block outbound Authenticated SMTP
> on port 587, nor do I block SMTP/SSL on port 465. YMMV.
>
> Chris

The linux box needs to be able to send/receive from the internet, but
I do not wish to allow internal users to go out to the internet. Any
attempt at an outbound connection should be denied, not redirected.
There are several worm type variants that run their own smtp server,
and I want to make sure that I am not contributing to the spam bot net.

On Feb 16, 8:15 am, deja3-u...@bitrealm.com wrote:
> On Feb 16, 7:36 am, Chris Davies <chris-use...@roaima.co.uk> wrote:
>
>
>
> > deja3-u...@bitrealm.com wrote:
> > > Using linux as a gateway router, how does one do this? I'd like to
> > > prevent internal computers from making outbound port 25 connections,
> > > but still allow them to the linux box on port 25.
>
> > Assuming (but not stated) that you want your linux box to be able to
> > make outbound port 25 connections, you just need this:
>
> > iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT
>
> > Alternatively you can do interesting things like forcing everything
> > that attempts to talk to port 25 to actually end up talking to your own
> > port 25:
>
> > iptables -t nat A PREROUTING -i eth1 -p tcp --dport 25 -j REDIRECT
>
> > You need to be careful of this (redirect), though, and bear in mind
> > that it will break any attempt by a client to use Authenticated SMTP
> > to a remote server. I do it on my home network so that I have record of
> > all outbound email. However, I don't block outbound Authenticated SMTP
> > on port 587, nor do I block SMTP/SSL on port 465. YMMV.
>
> > Chris
>
I tried the line you suggested above:

iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT

And it seems to be doing what I need it to do. Thanks for your
assistance!

Now, can I have it log to a file whenever this rule matches so I can
tell which machines are mis-configured or contain a spam bot? The log
should contain the date/time as well as the source/destination ips if
possible.

deja3-(E-Mail Removed) wrote:
> I tried the line you suggested above:
> iptables -A FORWARD -o eth0 -p tcp --dport 25 -j REJECT

> And it seems to be doing what I need it to do. Thanks for your
> assistance!

You asked for something to block outbound SMTP connections. This
suggestion that you took from my post does NOT do that. Please ensure
you're using the right example.


> Now, can I have it log to a file whenever this rule matches so I can
> tell which machines are mis-configured or contain a spam bot?

Suggest you "man iptables" and look for the LOG option.

Chris

On Sun, 17 Feb 2008 00:08:21 +0000, Chris Davies wrote:

>> Now, can I have it log to a file whenever this rule matches so I can
>> tell which machines are mis-configured or contain a spam bot?
>
> Suggest you "man iptables" and look for the LOG option.

Agreed.

But if you really want to know what the other system is doing, and you're
willing to invest a little, there's an option to consider. Using the
PREROUTING rule described earlier, pass the SMTP attempts on to an SMTP
server (not necessarily on port 25) on your routing box. This would be
set to accept but not forward the traffic.

You can then manually review the messages sitting in that mail server's
mqueue. Anything you want to pass on can be passed on with -qI....

Like I wrote, though, there's an investment here.

- Andrew

Andrew Gideon wrote:
> On Sun, 17 Feb 2008 00:08:21 +0000, Chris Davies wrote:
>
>>> Now, can I have it log to a file whenever this rule matches so I can
>>> tell which machines are mis-configured or contain a spam bot?
>> Suggest you "man iptables" and look for the LOG option.
>
> Agreed.
>
> But if you really want to know what the other system is doing, and you're
> willing to invest a little, there's an option to consider. Using the
> PREROUTING rule described earlier, pass the SMTP attempts on to an SMTP
> server (not necessarily on port 25) on your routing box. This would be
> set to accept but not forward the traffic.
>
> You can then manually review the messages sitting in that mail server's
> mqueue. Anything you want to pass on can be passed on with -qI....
>
> Like I wrote, though, there's an investment here.
>
> - Andrew

I'd be surprised if there is much to gain here. I've done similar
blocking on our network (the router/firewall was not Linux, but the
principle is the same). There are not many potential sources of stmp
traffic, and it makes sense to block almost all of them. It's important
to see when the traffic is being blocked (so you know who to blame
and/or disconnect from your network), but the traffic itself is pretty
worthless.

On a small network, the only outgoing smtp traffic should be from your
mail server to your ISP's relay (or from individual machines to a single
specific external relay if you have no internal email server). Anything
else is either a misconfigured email client (the user will quickly see
they've got a problem), a misconfigured email server (again, the admin
for it will see they have a problem), or a spam bot. It doesn't matter
what the spam bot is sending out - all that matters is that its traffic
is blocked and that the admins are notified quickly of the blocking. It
helps to have more than one admin - the one time someone in our office
accidentally installed a trojan mailer, I was out of the office - the
next day, I had 50,000 emails from our router complaining about illegal
traffic...