Upfront: Sorry if this is already answered - feel free to point me to the solution - I wasn’t able to find it.
So, as I host my own mail server I also have to defend it from spam. Over the years I used iptables and got used to “order matters”.
As for firewallD it’s not so clear to me. I’ve found two options:
-
sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='a.b.c.d/cidr' drop"
-
sudo firewall-cmd --permanent --zone=drop --add-source=a.b.c.d/cidr
2b) bit more advanced version of 2)
sudo firewall-cmd --permanent --new-ipset=networkblock --type=hash:net --option=maxelem=1000000 --option=family=inet --option=hashsize=4096
sudo firewall-cmd --permanent --zone=drop --add-source=ipset:networkblock
sudo firewall-cmd --permanent --ipset=networkblock --add-entry=a.b.c.d/cide
All followed by a
sudo firewall-cmd --reload
of course.
Question is: For option 2 I read something like: “using zone DROP doesn’t work cause the nic isn’t active in that”. Is that true?
Also: How to ensure the drop rules are matched before the allow rules and hence block incoming traffic before it gets accepted by service smtp rule?
Unfortunately many examples only show how to allow a port or service - but not how to restrict access to it like filter out spam ips for a mail server.
Thanks in advance.
Explain what you want to achieve, not how.
Simple: Hosting a mail server on TCP/25 open to the entire world both ipv4 and ipv6 but still be able to block malicious remote addresses. I thought I already made that clear.
Using iptables it’s a matter of order: If a rule to drop packets from a specific source is matched before the generic rule to accept traffic on tcp/25 it’s dropped before getting accepted. But: Although I don’t see a reason why 15.3 switched over to firewallD - which is again a bit more complex than iptables hence I wasn’t able to figure out how to achieve the same using it. Reason: Most examples I was able to find myself only show how to allow general access to a service or port. And some even show how to restrict access from specific sources. But aside from the two posted ways I wasn’t able to find any other examples explain how to do a simple filter rule in a deny,allow order so I can block of all those spammer ips and those which keep trying to bruteforce my accounts but still have it open to the rest of the world so I can receive e-mails.
Unfortunately smtp on tcp/25 is one of the very few services one cannot “hide” by using a different port - as the mail infrastructure in place expects it to be open and accessible if one wants to receive e-mail.
Sure, I could manually switch back to iptables. But I’m willing to learn if the distro of my choice makes such a move with a minor release instead of trying to fight it.
I cannot comment what you read because I do not see it. Firewalld first checks suitable zone that matches source address of incoming packet. It does not matter whether this zone is bound to any interface (actually it is probably more manageable if you make clear distinction between interface zones and source address zones). If this zone blocks packet, then it is blocked.
How to ensure the drop rules are matched before the allow rules and hence block incoming traffic before it gets accepted by service smtp rule?
Source zones are always tried before interface zones. Inside a single zone it is determined by rich rule priority. Without explicit priority drop rules are tried before allow rules: Rich Rule Priorities | firewalld
So, to simplify: It doesn’t matter which zone my interface is assigned to as source entries in the drop zone are evaluated first anyway.
I wonder why this simple line isn’t nowhere mentioned with the example I posted as option 2 - would had made it way easier.
I have a similar problem and use fail2ban to block attempts to access my mail server which may be an alternative solution approach to your needs.
My understanding is that firewalld is more of a front end that used to use iptables but now uses nftables in 15.3. As such it’s not useful to compare iptables and firewalld.
Interestingly fail2ban in my case uses iptables as it’s a hang over from previous versions and I also use the current firewalld that is using nftables. In another thread it was clarified that you can use both iptables and nftables. If you do have rules for both iptables and nftables, as I have, then a packet has to pass both filters in sequentially.
Well, fail2ban was suggested to me earlier - but I’m somewhat too stupid to correctly set it up - so it came to one of my daily routines to scan the logs of my mail server and all the junk mail and I received on the accounts set up and keep blocking them. Often just /24 blocks - but sometimes also /23 or even /22.
Yea, I know - many now may scream “why block an entire /22 block?” - well - simple: If the admins of these networks would do their job setting up anti spam filters on outgoing traffic to block what they servers send I wouldn’t have to block them.
As a reverse example: due to a far too simple password one of the accounts on my mail server got abused - and my hoster shut down my traffic within hours and informed me via my main gmail - THAT’s how network admins should do their jobs - and seeing that my hoster is capable of doing so justifies me in blocking entire /22 networks. Also: with most of the countries the ips are assigned to I don’t have any contacts anyway - so I don’t mind. And if someone really needs to contact me - my main gmail is known in places where it’s accessible - like whois and such. And as I have set up a back up mail server I’m at least able to still receive any incoming mails when my main root is not reachable for any reason.
As a “funny” sidenote: For some reason most of the spam traffic is over IPv4 - although my mail servers are correctly set up for IPv6. Guess it’s still a long way for v6 …
Anyway - I figured that adding the networks to the DROP zone seem to work so far for me now - so the question is solved.