Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (5) →
David Clayton
David Clayton
Offline

SMTP Firewall rules not working from 6.8 to 7.2

Resolved
0 votes
Hi,

I currently have a firewall running on 6.8 that only allows smtp communication from our LAN exchange server (10.1.5.32) to our mail host (Fuse Mail IP range), and from Fuse Mail to the Exchange server.

The working rules on 6.8:
Rule Name					Rule

================================================================================================================================================================================

Deny SMTP 					iptables -I FORWARD -i eth5 -p tcp --dport 25 -j DROP

Allow SMTP from defined IPs			iptables -I FORWARD -i eth5 -s 10.1.5.32 -p tcp --dport 25 -j ACCEPT

FM1 						iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 192.162.216.0/22 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM2 						iptables -A FORWARD -p tcp -s 192.162.216.0/22 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED –j ACCEPT

FM3 						iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 208.70.128.0/21 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM4 						iptables -A FORWARD -p tcp -s 208.70.128.0/21 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

FM5 						iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.12.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM6 						iptables -A FORWARD -p tcp -s 72.35.12.0/24 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

FM7 						iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.23.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM8 						iptables -A FORWARD -p tcp -s 72.35.23.0/24 -d 10.1.5.23 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


The rules created on the 7.2 system (changed eth5 to ens160):
Rule Name                       Rule

================================================================================================================================================================================

Deny SMTP                       iptables -I FORWARD -i ens160 -p tcp --dport 25 -j DROP

Allow SMTP from defined IPs     iptables -I FORWARD -i ens160 -s 10.1.5.32 -p tcp --dport 25 -j ACCEPT



FM1                             iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 192.162.216.0/22 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM2                             iptables -A FORWARD -p tcp -s 192.162.216.0/22 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED –j ACCEPT



FM3                             iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 208.70.128.0/21 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM4                             iptables -A FORWARD -p tcp -s 208.70.128.0/21 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



FM5                             iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.12.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM6                             iptables -A FORWARD -p tcp -s 72.35.12.0/24 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT



FM7                             iptables -t nat -A PREROUTING -p tcp -i ppp0 -s 72.35.23.0/24 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM8                             iptables -A FORWARD -p tcp -s 72.35.23.0/24 -d 10.1.5.23 --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


I don't seem to be able to receive mail, so it is like the rules aren't working - has the syntax changed more than just the LAN ethernet name (it looks like the ppp0 has the same name).

I tried specifying our our external IP using the below, but didn't make a difference:
FM1                             iptables -t nat -A PREROUTING -p tcp -s 82.68.112.126/24 -s 192.162.216.0/22 --dport 25 -j DNAT --to-destination 10.1.5.32:25

FM2                             iptables -A FORWARD -p tcp -s 192.162.216.0/22 -d 10.1.5.32 --dport 25 -m state --state NEW,ESTABLISHED,RELATED –j ACCEPT


any guidance would be much appreciated.
Thanks
In Custom Firewall
Monday, April 24 2017, 03:10 PM
Subscribe via email
Share this post:

Accepted Answer

Nick Howitt
Nick Howitt
Offline
Tuesday, April 25 2017, 12:53 PM - #Permalink
Resolved
0 votes
My bad on the 192.162.216.0/22 range. At first glance I thought it was the 192.168.x.y private range.

The rule you are missing, and you need it only once, is:
iptables -I POSTROUTING -t nat -s your_LAN_subnet -d 10.1.5.32 -p tcp --dport 25 -j SNAT --to-source your_LAN_interface_IP
I can never get my head round this rule and I am not totally sure why it is needed. I can see it can get round Micro$oft firewalling issues when the firewall only allows traffic from other LAN devices, but otherwise I am not sure of its purpose. Remember also to change "iptables" to "$IPTABLES" when you've tested it.

In theory you can combine IP addresses in iptables by separating them by commas. That would reduce your port forwarding rules to three, plus your two outbound rules. I have not tried it.

[edit]
... and thinking about it, there is no need to use the -s on both the PREROUTING and FORWARD rules. If you do it on the PREROUTING, the the traffic is already filtered to just those IP ranges. Your FORWARD rules have "-d 10.1.5.32", so will never operate on direct traffic from the internet as people on the internet cannot send packets directly to 10.1.5.32.
[/edit]
The reply is currently minimized Show
Responses (5)

  • Accepted Answer

    David Clayton
    David Clayton
    Offline
    Monday, August 21 2017, 07:50 AM - #Permalink
    Resolved
    0 votes
    Hi all,

    I wanted to say think you for the suggestions, Nick it worked as soon as your line was typed in. Very much appreciated.
    The reply is currently minimized Show

  • Accepted Answer

    David Clayton
    David Clayton
    Offline
    Monday, August 21 2017, 07:45 AM - #Permalink
    Resolved
    0 votes
    Hi all,

    Just wanted to say thank you. Nick, your one line 
    iptables -I POSTROUTING -t nat -s your_LAN_subnet -d 10.1.5.32 -p tcp --dport 25 -j SNAT --to-source your_LAN_interface_IP
    was the fix, started working as soon as that line was in. We also followed your recommendation and removed the state types.

    Apologies for the months delay, but as this is a production system, we don't get many time windows to do testing. Now the firewall rules and VPNs are sorted will be on to the AD integration.

    Suggestions all very much appreciated.
    The reply is currently minimized Show

  • Accepted Answer

    David Clayton
    David Clayton
    Offline
    Tuesday, April 25 2017, 09:16 AM - #Permalink
    Resolved
    0 votes
    Thank you for the prompt replies, I will test and let you know how I get on.
    The reply is currently minimized Show

  • Accepted Answer

    Dave Loper
    Dave Loper
    Offline
    Monday, April 24 2017, 09:06 PM - #Permalink
    Resolved
    0 votes
    Validate your interface names ('ip addr') and copy and paste instead of retyping. Small 'L' can look like 1 and other cases can exist.

    When in doubt, execute your iptables rules one at a time on command line.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Monday, April 24 2017, 04:45 PM - #Permalink
    Resolved
    0 votes
    That syntax should probably work from the command line, but from the custom firewall module or /etc/clearos/firewall.d/local, please change "iptables" to "$IPTABLES" (which more or less calls "iptables -w").

    I do find the rules a little odd. Incoming port forwarding normally has 3 rules (PREROUTING, FORWARD, POSTROUTING). When you tried to use your WAN IP you specified -s twice instead of -s and -d in your PREROUTING rule. I am also unsure of the role of the 192.162.216.0/22 address range when the mail is coming from the internet.

    FWIW you should not need "-m state --state NEW,ESTABLISHED,RELATED" as that is all traffic anyway.
    The reply is currently minimized Show
Your Reply