Blocking SMTP on firewall

Ok here’s my setup :

SuSE 10.0 X86 32 acting as my internet gateway and firewall.

eth0 is my internal interface network 192.168.0.0/24 IP 192.168.0.254
dsl0 is my internet connection and is a single ip PtP connection to my
ISP.

My internal network is masquaraded onto the external network.

I run an smtp server on my gateway box that I need to be accessable to
both the internal and external networks.

However I want to prevent machines on the internal network from
establishing connections to external smtp servers, but still alow them to
connect to the smtp server on the gateway to send email.

NOTE I do not want to force attempts to connect to externalserver.com 25
to be re-directed to my internal server I just want to drop or reject the
connection.

The firewall up until now has just been configured through YaST, but am
not afraid to edit script files if needed :slight_smile: :slight_smile:

The reason for doing this it to prevent spambots from being able to send
through my isp, I keep my own machines clean but sometimes get asked to
disinfect machines for other people (family members etc), where I need to
connect to the outside world to get updates/virus defs etc, but don’t
want them spamming from my network.

So is there an easy way of doing this.

Cheers.

Phill.

Prime wrote:

> Ok here’s my setup :
>
> SuSE 10.0 X86 32 acting as my internet gateway and firewall.
>
> eth0 is my internal interface network 192.168.0.0/24 IP 192.168.0.254
> dsl0 is my internet connection and is a single ip PtP connection to my
> ISP.
>
> My internal network is masquaraded onto the external network.
>
> I run an smtp server on my gateway box that I need to be accessable to
> both the internal and external networks.
>
> However I want to prevent machines on the internal network from
> establishing connections to external smtp servers, but still alow them
> to connect to the smtp server on the gateway to send email.

That is essentially:

iptables -A forward -i eth0 --dport 25 -j DROP

(not tested).

> The firewall up until now has just been configured through YaST, but
> am not afraid to edit script files if needed :slight_smile: :slight_smile:

I’m sure you can do this with the YaST setup too, I just don’t use it,
so I can’t explain how it’s done.

> The reason for doing this it to prevent spambots from being able to
> send through my isp, I keep my own machines clean but sometimes get
> asked to disinfect machines for other people (family members etc),
> where I need to connect to the outside world to get updates/virus defs
> etc, but don’t want them spamming from my network.

Makes a lot of sense.


Per Jessen, Zürich (17.8°C)
http://en.opensuse.org/User:pjessen

  1. If you want to setup linux as router and firewall, you should have 3 network interface which is
    a. External interface
    b. Internal interface
    c. DMZ interface

  2. You should put your smtp server under DMZ zone and all your local LAN under internal zone.

  3. Using iptables command or yast->firewall (for SUSE), you need to configure firewall rules as below

    1. External->DMZ (allow port 25(smtp) open for smtp server ip address)
    2. Internal ->External (Block in port 25(smtp) for all ip address)
    3. Internal->DMZ (allow only port 25(smtp)) for all ip address

Please let me know if you need example of command or configuration…