HPE Community
Operating System - Linux
1829889 Members
2469 Online
109993 Solutions
New Discussion

how to block all trafic other then POP n SMTP

 
SOLVED
Go to solution
Maaz
Valued Contributor

‎09-03-2007 09:09 PM

‎09-03-2007 09:09 PM

how to block all trafic other then POP n SMTP

Dear Gurus

About Internet Gateway Server:
Gateway IP: 10.0.0.110 (ip of the interface connected to the lan)
Gateway Software: Squid 2.6, and iptables.

how to block all trafic to the internet other then POP n SMTP for some clients ?.
Infect I have a LinuxRouter+Squid, and for some users 10.0.0.137, and 10.0.0.125 I just want to allow them access their emails using outlook, and nothing else.
I have denied http traffic using squid. But I wana know how can I also block non smtp/pop traffic using iptables

iptables script I am using at this gateway server is attached.

NOTE: the smtp, and pop server is on the internet
0 Kudos
Reply
7 REPLIES 7
Stuart Browne
Honored Contributor

‎09-03-2007 10:12 PM

‎09-03-2007 10:12 PM

Re: how to block all trafic other then POP n SMTP

Change the filter table's FORWARD policy to DROP (this will block *EVERYTHING* except Squid from other computers), then explicity allow those two computers access through the forward table to the appropriate ports, i.e.

iptables -P FORWARD DROP
iptables -N MailAccess
iptables -A MailAccess -j ALLOW -p tcp --dport 110
iptables -A MailAccess -j ALLOW -p tcp --dport 25
iptables -A FORWARD -j MailAccess -s 10.10.10.125
iptables -A FORWARD -j MailAccess -s 10.10.10.137
One long-haired git at your service...
0 Kudos
Reply
Maaz
Valued Contributor

‎09-03-2007 11:46 PM

‎09-03-2007 11:46 PM

Re: how to block all trafic other then POP n SMTP

Thanks Stuart, for prompt help.

other then 125, and 137, all the 10.0.0.0/24 are allowed to access everything, i.e unlimited access to the internet for clients, other 10.0.0.125, and 10.0.0.137.

regards
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎09-04-2007 12:38 AM

‎09-04-2007 12:38 AM

Solution

Re: how to block all trafic other then POP n SMTP

Ah. In that case, you want to take a different approach. Ignore the previous stuff entirely, and do this:

iptables -N MailAccess
iptables -A MailAccess -j ACCEPT -p tcp --dport 25
iptables -A MailAccess -j ACCEPT -p tcp --dport 110
iptables -A MailAccess -j REJECT
iptables -A FORWARD -j MailAccess -s 10.10.10.125
iptables -A FORWARD -j MailAccess -s 10.10.10.137

This will give them only access to those two ports, and whatever access squid gives them.
One long-haired git at your service...
Reply
Steven E. Protter
Exalted Contributor

‎09-04-2007 01:09 AM

‎09-04-2007 01:09 AM

Re: how to block all trafic other then POP n SMTP

Shalom,

I'd suggest an iptables configuration.

A quick alternative to iptables code is firestarter.

http://fs-security.com

It has a gui and is easily configurable.

The product is open source, lacks a web interface and may be orphaned. The community is working on taking over the product.

Go for strict inbound and outbound policy and then open up port 25 and port 110. Note this configuration will block http/https traffic.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Maaz
Valued Contributor

‎09-05-2007 12:11 AM

‎09-05-2007 12:11 AM

Re: how to block all trafic other then POP n SMTP

Once again Thanks Stuart and SEP for help/support.

Stuart I didnt tried the code(iptables), but as soon as I get the downtime, I'll try the code.. and obviously point will also be assign later ;) .

Regards
Maaz
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-05-2007 04:59 AM

‎09-05-2007 04:59 AM

Re: how to block all trafic other then POP n SMTP

Just wanted you to know,

You can't play with Stuart's option and mine at the same time.

firestarter uses iptables code. If you shut iptables, firestarter configuration goes down.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Maaz
Valued Contributor

‎09-05-2007 09:53 PM

‎09-05-2007 09:53 PM

Re: how to block all trafic other then POP n SMTP

Thanks SEP.

Stuart I have attached the modified script(that has your code), but from 10.0.0.125, and 10.0.0.137 I can still use Yahoo, and MSN messengers(and other apps that connects to internet).

I hope i have cleared my question, i,e I just want 10.0.0.125, and 10.0.0.137 to access emails from Email-Servers(pop/smtp) on the internet.
But all other machines(10.0.0.0/24) must have full access to the internet

I have configured transparent proxy, and every client including 10.0.0.125, and 137, has the following TCP/IP configs
IP: 10.0.0.x
NETMASK: 255.255.255.0
GATEWAY: 10.0.0.110
DNS SERVER: 10.0.0.110

Squid is listning on port 3128, and all the traffic directed to port 80 from clients are redirected to 3128 via iptables.

No client has proxy server settings, i.e no TCP/IP(proxy server)configs are provided to the applications(web-browser, msn, and yahoo messengers etc)

Regards
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.