Topic: how can I prevent users from using sme as their gateway?

[kryptos]

Hi all,

We have setup SME as our webserver and the same time as an Email server. It is setup as server and gateway mode. Our concern is if someone uses the server ip address as there gateway they can have internet access. We don't what this to happen as we have our proxy server( SME Also) that deal with internet users. Is there a settings that we can disable internet access to this server without affecting the email and web server functionalities?

Regards,
Rocel

[steever]

Server only, instead of server-gateway?

[stephen noble]

  Proxy settings > HTTP proxy status > disabled

[CharlieBrady]

  Proxy settings > HTTP proxy status > disabled

That won't prevent use as a gateway (but would block port 80, unless transparent proxy was also disabled). But steever has one correct answer - use serveronly mode. Another answer would be to ensure that nobody could physically connect to the LAN of the web/mail server.

[steever]

Yes, I'd be interested to know why he has this server set up in gateway mode if he doesn't need it as a gateway.

[kryptos]

Yes, I'd be interested to know why he has this server set up in gateway mode if he doesn't need it as a gateway.

We decided to use as server and gateway because of this reasons:

from the wiki an I qoute:

Server Only

Some of the spam filter rules cannot work unless the SMESERVER knows the external IP of the box. If you put a SMESERVER in server-only mode behind other firewalls, it will lose some of the anti-spam rules. For example, the rule that blocks attempts where spammers try "HELO a.b.c.d" where a.b.c.d is your external IP address.

Unfortunately, many admins believe that port-forwarding SMTP provides additional security. It doesn't, it limits the SMESERVER's ability to apply some rules.

and also i have observe that if you use the internal ip of the server in server/gateway mode as the pop3 settings on their email client they are bypassed by spamassassin as they were local( which is good for us)  if sending to other local users.

Regards,
Rocel

[steever]

I didn't know that.  Thanks Kryptos.

[kruhm]

get an additional public ip from your isp
or
combine the proxy & email servers onto one box.

[arne]

Yes, It can be done, it's just a question about understanding the question right.

Is the arrangment like this:

There is a lan segment that is connected to internet via two sme servers running in server gateway mode.

There is also (already) two external ip's, one for each server.

Gateway server A should work as a gateway/(proxy) (only).

"Gatway server" B should actually not be working as a gateway, but as an external and internal web and mail server allowing mail and web clients, but it should not be allowed to work as an gateway, allowing traffic to pass out to internet, is this correct understood ?

What is the network address to the lan segment ? (10.0.0.0/255.255.255.0 192.168.0.0/255.255.255.0 etc)

[kryptos]

hi arne,


sorry for my late reply.. your exactly right that was my situation in our setup. The email/web server and and the proxy server are on the same segment and each has its own external ip. Local ip segment is 192.168.0.0/24

regards,
Rocel

[arne]

Thanks for info. This should not be to difficult. Will try to look into it during the day.

The situation is much like this one, but easier.
http://forums.contribs.org/index.php?topic=41166.0

Warnings etc are tha same.

[arne]

I guess this simple rule applied from shell at the non gateway machine should do it:

iptables -I FORWARD -i eth0 -j DROP  

(Where eth0 is the LAN adapter.)

This means: for all packets entering the forward chain from the eth0 adapter (lan adapter), drop them.

-I inserts the rule on the top of the rule stack.
 
To check if the rule is there.

iptables -L FORWARD

Problems about implementing into /etc/rc.d/rc.local or templates are quivalent to the other question.

I have not tested it but I guess it will work.

I just tested something just now. To delete the new first rule you can reboot the machine or you can run:

iptables -D FORWARD 1

(Delete the first rule in the forward chain.) (A bit dangerous if you should not delete your new "add on rule", but something else.)

[kryptos]

hi arne,
 
With iptables i am not very knowledgeable with it. And also I have setup the Server local IP as their POP and SMTP settings i think this will also be block am i right? What if i will block port only to  www or the internet  on the lan side?


Regards,
Rocel

[arne]

No, mail serverfunctions and all other serverfunctions should work like normal for lan and external communication.

(This wa sthe new "big thing" for the latest generation of Linux firewall to do completely separated filtering for local servers and routing/nat functions.)

If I'm thinking it the right way this should only block the internet gateway access.

It can be tried by just applying the rule from shell, and then if you reboot your server it will be gone. (No permanent modification.)

It would be interesting with a report if it works like expected or not.

By the way, web proxy should be off on this server machine. Gateway via proxy might not be closed. (Because the proxy is a local server, and local servers will generally not be closed.)


So it should be only this:

iptables -I FORWARD -i eth0 -j DROP   (if eth0 is connected to lan.)

And a reboot to take it away.

All filtering for server functions should still work unaffected and like normal.

[arne]

Does it work ? Any progress ? (Have not tested it myself, just curious.)