Hi, we have installed shorewall on centos 5 and the server is configured to be like gateway and mail server. We have a private network and we have problem with users on this network. They use smtp forwarding and connect to different smtp servers to send spam. How we can block this forwarding on port 25 and is there some way to redirect all trafic for port 25 for example to our mail server (in this case the same machine)? The users should use only our mail server and should not be able to use different smtp servers. How i need to configure shorewall to do this? Thanks in advanced! Regards, Ali Nebi! ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Block:
REJECT loc net tcp 25
Redirecting isn''t a good idea for various reasons. You should tell
your users the policy (don''t connect to external SMTP servers, only
connect to the internal SMTP server) and tell them how to configure
that. If you insist, put the ''routeback'' option on your
internal
network interface in /etc/shorewall/interfaces:
loc eth1 detect routeback
and do a DNAT in /etc/shorewall/rules:
DNAT loc loc:192.168.1.3 tcp 25 - !192.168.1.0/24
(where 192.168.1.3 is your mailserver''s IP, 192.168.1.0/24 is the
internal network and eth1 is the router''s internal interface)
These redirection configs are just a guess cribbed from Shorewall FAQ
#2. I''ve never done anything quite this bizarre before (close, but
not quite).
John
On Fri, Aug 1, 2008 at 6:01 PM, anebi@iguanait.com <anebi@iguanait.com>
wrote:>
> Hi,
>
> we have installed shorewall on centos 5 and the server is configured to
> be like gateway and mail server.
>
> We have a private network and we have problem with users on this
> network. They use smtp forwarding and connect to different smtp servers
> to send spam. How we can block this forwarding on port 25 and is there
> some way to redirect all trafic for port 25 for example to our mail
> server (in this case the same machine)?
>
> The users should use only our mail server and should not be able to use
> different smtp servers.
>
> How i need to configure shorewall to do this?
>
> Thanks in advanced!
>
> Regards, Ali Nebi!
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Fri, 1 Aug 2008 18:20:29 +0800, "John Morris" wrote: > Block:
>
REJECT loc net tcp 25 REJECT:info is even better to track down
these users and contact them to learn them how to process. >
Redirecting isn''t a good idea for various reasons. You should tell
>
your users the policy (don''t connect to external SMTP servers, only
>
connect to the internal SMTP server) and tell them how to configure >
that. If you insist, put the ''routeback'' option on your
internal >
network interface in /etc/shorewall/interfaces: > > loc eth1
detect routeback > > and do a DNAT in
/etc/shorewall/rules:> > DNAT loc loc:192.168.1.3 tcp 25 -
!192.168.1.0/24 I''d write: DNAT loc fw tcp
smtp,submission,ssmtp
fw will identify the firewall (and then the router), and loc will
include all the LAN. This rule will process mails coming from the LAN
trying to go through if I don''t make any mistake.
John: Always reply AFTER the previous
message.
HTH. Jerome Blion.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/