Koozali.org: home of the SME Server

Adding IPTables rules

Offline GlitchFreak

  • ****
  • 97
  • +0/-0
Adding IPTables rules
« on: November 08, 2007, 11:30:19 AM »
Morning

How do I add a custom IPTables rule to block external pop3 access? I want to prevent anyone in the company from popping external email.

Thanks!


Offline byte

  • *
  • 2,183
  • +2/-0
Re: Adding IPTables rules
« Reply #1 on: November 08, 2007, 12:28:56 PM »
How do I add a custom IPTables rule to block external pop3 access? I want to prevent anyone in the company from popping external email.

Enjoy ;)

http://wiki.contribs.org/Firewall#Block_outgoing_ports
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Re: Adding IPTables rules
« Reply #2 on: November 08, 2007, 12:37:05 PM »
After downloading the stuff referenced above, issue these commands:
Code: [Select]
config setprop masq TCPBlocks 0.0.0.0:110
signal-event remoteaccess-update
/etc/init.d/masq restart

Offline GlitchFreak

  • ****
  • 97
  • +0/-0
Re: Adding IPTables rules
« Reply #3 on: November 13, 2007, 12:22:56 PM »
Thanks, I've enabled the changes.

Is there a log I can tail to see the blocks in effect? Perhaps /var/log/iptables?

Offline byte

  • *
  • 2,183
  • +2/-0
Re: Adding IPTables rules
« Reply #4 on: November 13, 2007, 12:40:32 PM »
Is there a log I can tail to see the blocks in effect?

/var/log/messages
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline mmccarn

  • *
  • 2,656
  • +10/-0
Re: Adding IPTables rules
« Reply #5 on: November 13, 2007, 01:44:37 PM »
As currently written the 'PortBlocks' code does not log anything.


Offline GlitchFreak

  • ****
  • 97
  • +0/-0
Re: Adding IPTables rules
« Reply #6 on: November 13, 2007, 02:24:29 PM »
I thought so... Didn't see anything logging...

Offline byte

  • *
  • 2,183
  • +2/-0
Re: Adding IPTables rules
« Reply #7 on: November 13, 2007, 02:50:32 PM »
As currently written the 'PortBlocks' code does not log anything.

Ah I didn't realize your new code didn't include "--log-prefix" that's why I do see the blocks in /var/log/messages
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline GlitchFreak

  • ****
  • 97
  • +0/-0
Re: Adding IPTables rules
« Reply #8 on: November 13, 2007, 02:53:13 PM »
Is there a hard code method to enable logging port blocks?

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Adding IPTables rules
« Reply #9 on: November 13, 2007, 03:37:40 PM »
/var/log/messages

No, any iptables logging is in /var/log/iptables/current.

Offline byte

  • *
  • 2,183
  • +2/-0
Re: Adding IPTables rules
« Reply #10 on: November 13, 2007, 03:52:04 PM »
No, any iptables logging is in /var/log/iptables/current.

Thats correct for "any" but if you have parameter "--log-prefix" inserted in to your iptable line then it will show any blocks in the /var/log/messages and via dmesg.
--[byte]--

Have you filled in a Bug Report over @ http://bugs.contribs.org ? Please don't wait to be told this way you help us to help you/others - Thanks!

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Adding IPTables rules
« Reply #11 on: November 13, 2007, 04:05:41 PM »
Thats correct for "any" but if you have parameter "--log-prefix" inserted in to your iptable line then it will show any blocks in the /var/log/messages and via dmesg.

The standard 'denylog' rule uses --log-prefix, and standard logs don't go to syslog. Something else is going on here - perhaps ulogd is not running.