Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Richard on September 16, 2002, 11:04:05 AM
-
In the previous version 5.1.2 I had added the deny list for mail connections by IP range and addresses. How is this done in 5,5? I've been on this bbs for two weeks now and in the docs and http://untroubled.org/mailfront/, the latter site I do not completely understand. I believe many people want a solution to this problem. I would be willing to help with a detailed how-to if someone could guide me. Thanks.
-
I'd just use ipchains, and deny access to 25 TCP incoming on the external interface. This would basically accomplish the same thing, however, you would be using ipchains instead of mailfront.
-
OK (Sitting in corner with DUNCE hat on)
I have this file from Darrell May's how-to
/etc/e-smith/templates-custom/var/spool/smtpd/etc/smtpd_check_rules/10DenyList
with the following string:
deny:24.192.0.0/14:ALL:ALL
What is the equavlant string/argument for ipchains?
What specific file do I edit?
(Sitting...waiting)
-
No problem with the "dunce" hat, no one knows everything. :)
/sbin/ipchains -A input -p tcp --dport 25 --source 24.192.0.0/16 -j DENY -i
Where is your external ethernet device, eth1, eth0, etc depending on your configuraiton.
If you want these changes available "on-boot" simply add them to the bottom of /etc/rc.d/rc.local
Hope this helped,
Nathan
-
On a side not, I'm not familiar with the /14 notation you were using. It has been my understanding that the / notation is based on 8 bits per octet.
IE: 8bits.8bits.8bits.8bits = /32
255.255.255.0 = /24
255.255.0.0 = /16
255.0.0.0 = /8
Can you explain "/14" or was it a typo? I could be misinformed, perhaps /14 is the bit notation for 255.255.252.0? It's been a while since I've done subnetting.
Who's the guy with the dunce hat on now :)
Nathan
-
When I get hit with SPAM I put the sending IP into ARIN here
http://www.arin.net/whois/index.html
I take the low end of the subnet the IP is in and put it into Router Tools I got free from http://www.boson.com Subnet Mask Calculator
I move the slider bar L/R until the correct range is displayed in the Curent Host Range box and that gives me the proper mask (I think) to use. As you will see from this there are many different masks you could get.
More than that I do not know.
Thanks for the Info.
-
Would it be more intellegent to create a batch/script file that could be called by rc.local?
If so, how would I create the file syntax wise ( I use pico ) and how would I call it?
Thanks for the help.
-
Nathan, the /14 (or whatever) notation denotes the number of bits in the subnet mask. Thus, a subnet mask of 255.0.0.0 would be equivalent to /8 (a Class A subnet), 255.255.0.0 would be the same as /16 (Class B), and 255.255.255.0 would be /24 (Class C). The /14 notation would be the same as 255.252.0.0, and would be the same number of hosts as 4 Class B networks.
That said, it may be a typo, but it is a legitimate address.
-
Still having problems denying SMTP connections.
I have a script ipchains.sh which has the following:
#!/bin/sh
/sbin/ipchains -A input -p tcp --dport 25 --source 24.192.0.0/14 -j DENY -i eth0
/sbin/ipchains -A input -p tcp --dport 25 --source 61.0.0.0/8 -j DENY -i eth0
/sbin/ipchains -A input -p tcp --dport 25 --source 128.134.0.0/16 -j DENY -i eth0
etc.....
I get an e-mail tohay, header here:
Received: (qmail 23746 invoked by alias); 18 Sep 2002 14:33:25 -0000
Delivered-To: alias-localdelivery-richard@structuralsupport.net
Received: (qmail 23743 invoked from network); 18 Sep 2002 14:33:24 -0000
Received: from unknown (HELO localhost) (61.99.34.206)
by limelight.structuralsupport.net (65.188.0.241) with SMTP; 18 Sep 2002 14:33:24 -0000
Reply-To: gulbimaul@gulbimaul.com
Return-Path: gulbimaul@gulbimaul.com
From: ±¼ºñ¸¶À»
To: richard@structuralsupport.net
Subject: "Çãºê±¼ºñ"-´ëÇѹα¹ 1% ±¼ºñ [È«º¸]
Mime-Version: 1.0
Content-Type: text/html; charset="ks_c_5601-1987"
Date: Fri, 1 Jan 1999 13:11:48 +0900
etc...
So I type /sbin/ipchains -L and get
(stuff)...
denylog all ------ anywhere anywhere n/a
DENY tcp ------ 24.192.0.0/14 anywhere any -> smtp
DENY tcp ------ 61.0.0.0/8 anywhere any -> smtp
DENY tcp ------ 128.134.0.0/16 anywhere any -> smtp
DENY tcp ------ 155.230.0.0/16 anywhere any -> smtp
DENY tcp ------ 168.70.0.0/16 anywhere any -> smtp
etc....
How did this and other e-mail get in? Do I have to issue some command for the ipchain stuff to take effect?
-
Richard wrote:
> Still having problems denying SMTP connections.
...
> /sbin/ipchains -A input -p tcp --dport 25 --source 61.0.0.0/8
> -j DENY -i eth0
> /sbin/ipchains -A input -p tcp --dport 25 --source
> 128.134.0.0/16 -j DENY -i eth0
> etc.....
>
> I get an e-mail tohay, header here:
...
> Received: from unknown (HELO localhost) (61.99.34.206)
> by limelight.structuralsupport.net (65.188.0.241) with
> SMTP; 18 Sep 2002 14:33:24 -0000
61.99.34.206 is not in 61.0.0.0/8.
Charlie
-
Well that explans a lot. I thought that 61.0.0.0/8 ment a 8 bit mask which was equal to 61.0.0.0 thru 61.255.255.255 or a Subnet mask of 255.0.0.0. Oh well, I guess I will have to figure this stuff out again.
(Dunce hat back on)
-
FWIW, that's what I would have thought as well (which doesn't prove anything except, perhaps, that I should also be wearing the dunce cap).
-
CIDR notation is what we are having problems with. /8 is the CIDR notation for a default subnet mask of 255.0.0.0. In CIDR notation, an IP address is represented as A.B.C.D /n, where "/n" is called the IP prefix or network prefix. The IP prefix identifies the number of significant bits used to identify a network. For example, 192.9.205.22 /18 means, the first 18 bits are used to represent the network and the remaining 14 bits are used to identify hosts.
To determine the correct CIDR notation you must first convert the IP address to binary, find the default subnet mask, and then determine the number of significant bits. There is an easier way, you can use a CIDR chart (http://support.iglou.com/fom-serve/cache/238.html) You can also use a network calculator (http://www.telusplanet.net/public/sparkman/netcalc.htm) to determine your subnet mask then from there find the CIDR notation.
Hope this helped,
Nathan
-
OK, I am fat dumb and happy again. I have a bunch of these:
/sbin/ipchains -I input -p tcp -s 24.192.0.0/14 ! 80 -j DENY -l
/sbin/ipchains -I input -p tcp -s 61.0.0.0/8 ! 80 -j DENY -l
which deny the ability of thoes outside the North Americas from connecting to my server except for httpd. No more spam or anything else allowed at all.