Topic: Restricting port 25 to only allow list of IP

[webweave]

Hi,

We have a subscription to a commercial spam filtering service and they are asking us to modify our server (SME 6.0.1) to only accept connections to port 25 from a list of IP numbers they have supplied.

I would prefer a method that works with the design philosophy of the SME. Has anyone made a template for doing this? I imagine this would also be useful for anyone who wants to ignore IPs or ranges of IPs from common spammers.

Thanks for considering my question.
Cheers, ':pint:'
Brian

[gordonr]

I would prefer a method that works with the design philosophy of the SME. Has anyone made a template for doing this? I imagine this would also be useful for anyone who wants to ignore IPs or ranges of IPs from common spammers.

See these threads for my updated e-smith-packetfilter which allows you to configure an AllowHosts property for services:

http://forums.contribs.org/index.php?topic=27855.msg115863#msg115863

http://forums.contribs.org/index.php?topic=27855.msg115863#msg115863

An even later version is included in 7.0alpha, in which you can also configure a DenyHosts list.

[webweave]

Isn't that nifty.

This is a bare nuckles, er I mean command line tool right?

I am going through iptables/howto/iptables-HOWTO.html This looks like the right place to start. Is there a better howto somewhere?

Do you think in ver. 7 this will migrate into the server-manager?

Thanks Gordon, always a pleasure.

[gordonr]

Isn't that nifty.

This is a bare nuckles, er I mean command line tool right?

Yes, peril sensitive sunglasses are a required option.

I am going through iptables/howto/iptables-HOWTO.html This looks like the right place to start. Is there a better howto somewhere?

There's lots of stuff on netfilter.org The generated rules in /etc/init.d/masq are worth looking at while you're working through the HOWTO to see how they go together.

Do you think in ver. 7 this will migrate into the server-manager?

7.0beta1 is out, so no.

Someone is proposing a panel here:

http://forums.contribs.org/index.php?topic=28417.0

but I haven't seen the panel and don't know how it's being implemented. As I stated in that thread, if it works through the configuration database, it would be a good addition. If it directly manages iptables rules, it it likely to cause a conflict with service configuration.

[kruhm]

-mkdir /etc/e-smith/templates-custom/etc/tcprules/tcp.smtp/
-start a new file called 85customdeny with the following:


Code:
{
$OUT = "theipyouwanttoblock:deny";
$OUT .= "theiprangeyouwanttoblock:deny";
}


-rebuild the file with a: /sbin/e-smith/expand-template /etc/tcprules/tcp.smtp
-pickup the changes with a: /sbin/e-smith/signal-event email-update

[webweave]

Does this also work for allow?
I'm trying to block all ip except those from my upstream mail provider.

Thanks Kruhm, This looks nice and easy and will surive the backup.

[gordonr]

Thanks Kruhm, This looks nice and easy and will surive the backup.

Note that it will not work in 7.0 as we no longer use tcprules/tcp.smtp since changing from tcpserver to ipsvd. The equivalent files are in the "peers" subdirectories of the individual services. My suggestion will work under 7.0 as well as earlier releases, as long as you update e-smith-packetfilter.