There's nothing I'm aware of at the moment to do what you want to do; you're also going to have to be pretty sneaky about it.
If you just want to block access to port 25 (for example) from a LAN workstation to your SME, and if you're adventurous, you may be able to make it work like the 'Block outgoing ports' and 'Bypass Proxy' methods described at
http://wiki.contribs.org/Firewall#Open_Ports_in_Private_Server.2FGateway_ModeAs far as I can tell, you need to insert rules into the 'nat' table of iptables, in the 'local_chk' chain (or better, the 'local_chk_###' chain), something like this:
# deny traffic from 192.168.x.y to port 25 on any host
/sbin/iptables --table nat --insert local_chk --source 192.168.x.y --destination 0.0.0.0/0 --dpt 25 --jump denylogHowever, this won't prevent the miscreant workstations from connecting to an off-site smtp server on an alternate smtp port (465, 587, 2525, other), or using webmail (80, 443, other) - so you may want to use the "Block outgoing ports" instructions to block all outbound traffic from these users.
If you're dealing with actual people, who have access to google, who are smart enough to get through junior highschool, and who want to send email even though you don't want them to, you'll need to:
- block all internet traffic (proxied or otherwise) for those users
- make sure they don't have iphones, blackberries, or any other way to access your server from "outside"
If you're working with possibly infected computers that may go nuts and send spam all over the place, you should be able to protect yourself by:
- Use
Block outgoing ports to block traffic to all ports from the offending workstations
-
Disable the 'SMTP proxy' on your SME server-
Enable SMTP authentication for users on the internal network-
Disable SMTP relay for unauthenticated LAN clients
1 Replies
1149 Views