Raintree Solutions, LLC

Computer Solutions for Santa Cruz County and Del Norte County, CA

 
    Servers, Workstations, Laptops, Custom Databases, Commercial Software, Point of Sale, Networks, Wireless, VPNs, Web Maintenance, Domain Registrations, Email Servers, Antivirus, AntiSpyware, AntiSpam, Preventative Maintenance, and more!    

Borrowed from Cooper Technologies

SMTP Filter

INBOUND FILTER

      1. Allow everything

OUTBOUND FILTER

      1. The mailserver can send anything
      2. All outbound SMTP (25/tcp) is blocked
      3. Allow everything

Because the mail server's traffic (including SMTP) is allowed as the first step, it's not blocked in any way: server-originated traffic never goes beyond step #1. It's non-server traffic which collides with step #2, and if SMTP is seen, it's not allowed. Step #3 is reached for non-server, non-SMTP traffic: this is all permitted.

Adding the filter

This is done in two steps: first we create the named filter, then apply it to a particular connection. Maintaining the filter sets is done by logging into the router via telnet and navigating to the proper menu.

   Nav:
   Main Menu
    System Configuration...
    Filter Sets...
    Add Filter Set... 

Here the filter set should be named, and "ADD FILTER SET" selected:

                     Add Filter Set...


Filter Set Name: SMTP Output Filter

ADD FILTER SET CANCEL

The filter set is empty after being added, so it must then be populated. Select Display/Change Filter Set..., press RETURN, then select the newly-created set. We'll be at this screen more than once.

                    Display/Change Filter Set...


Filter Set Name: SMTP Output Filter

           Add Input Filter to Filter Set...
           Display/Change Input Filter...
           Delete Input Filter...
           Move Input Filter...
           Add Output Filter to Filter Set...
           Display/Change Output Filter...
           Delete Output Filter...
           Move Output Filter...


First we'll add the input filter. This may not be required, because the device might default to "Permit" when no filter is provided, but we didn't want to find out the hard way by getting locked out remotely. An explicit "Permit" rule seemed like a wise idea: select Add Input Filter to Filter Set... and press RETURN.

                     Add Input Filter

Enabled: Yes Forward: Yes means "Permit" Call Placement/Idle Reset: No Change


Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: ANY

ADD THIS FILTER NOW CANCEL

IMPORTANT - the default for the "Forward" field is No, and this has the effect of a Deny rule: be sure to select Yes (by pressing TAB then RETURN).

Next we'll select Add Output Filter to Filter Set... and add the three rules required. First we permit the mailserver identified by a single IP address to make any connections whatsoever. This goes beyond the rule of allowing just SMTP, but in case we got the other rules wrong (remotely), we wanted to always get to the server.

The netmask of 255.255.255.255 means this is a single IP address, not an address block or range.

                     Add Output Filter

Enabled: Yes Forward: Yes means "Permit" Call Placement/Idle Reset: No Change


Source IP Address: 192.168.1.1 Source IP Address Mask: 255.255.255.255

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: ANY


ADD THIS FILTER NOW CANCEL

Next we add the rule which denies all outbound SMTP. Rules are applied in order, so the server which is allowed to do anything it likes won't ever get to this rule. All the non-server systems do, and their attempts at outbound port 25/tcp are blocked by the Forward=No.

                     Add Output Filter

Enabled: Yes Forward: No means "Deny"

Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: TCP Source Port Compare... No Compare Source Port ID: 0 Dest. Port Compare... Equal Dest. Port ID: 25 Established TCP Conns. Only: No

ADD THIS FILTER NOW CANCEL

Finally we add the rules which allows all the systems to do non-mail transport: they should be able to surf the internet or download files, or whatever. Selecting Add Output Filter again, we see:

                     Add Output Filter

Enabled: Yes Forward: Yes means "Permit" Call Placement/Idle Reset: No Change


Source IP Address: 0.0.0.0 Source IP Address Mask: 0.0.0.0

Dest. IP Address: 0.0.0.0 Dest. IP Address Mask: 0.0.0.0

Protocol Type: ANY


 

ADD THIS FILTER NOW CANCEL

This done, the filter has been defined, and we can verify both directions with the "Display/Change Filter" options in each input/output section.

Input filter:

  +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+
  +-------------------------------------------------------------------------+
  | 1    0.0.0.0           0.0.0.0           ANY   --       --      Yes Yes |
  |                                                                         |
  |                                                                         |
  |                                                                         |
  +-------------------------------------------------------------------------+

Output filter:

  +-#----Source IP Addr----Dest IP Addr------Proto-Src.Port-D.Port--On?-Fwd-+
  +-------------------------------------------------------------------------+
  | 1    192.168.0.2       0.0.0.0           ANY   --       --      Yes Yes |
  | 2    0.0.0.0           0.0.0.0           TCP   NC       =25     Yes No  |
  | 3    0.0.0.0           0.0.0.0           ANY   --       --      Yes Yes |
  |                                                                         |
  |                                                                         |
  +-------------------------------------------------------------------------+

Now our "Outbound SMTP Filter" is defined, but since no connection is using it, there is no impact on actual traffic anywhere. Associating the filter with the connection

With the "Outbound SMTP filter" defined, we're ready to attach it to the internet connection. From the main menu, navigate down to "WAN Ethernet Configuration"

   Nav:
   Main Menu
    WAN (Wide Area Network) Setup...
    EN (Wan module 1) Setup... 

One must be very careful in this configuration screen: this holds the parameters for the live internet, and mistakes can be painful. It's certainly much safer to do this over the serial console rather than remotely over the internet: do so if possible.

Furthermore, only the Filter Set setting should be changed here: the other parameters may well be different and reflect the local configuration. DO NOT change any other parameters to match those here.

                         WAN Ethernet Configuration

Address Translation Enabled: Yes Local WAN IP Address: 66.121.X.X Local WAN IP Mask: 255.255.255.248

NAT Map List... Easy-PAT List NAT Server List... Easy-Servers

Filter Set... Outbound Mail Filter Remove Filter Set


Enable PPP over Ethernet: Off

Wan Ethernet MAC Address: 00:00:c5:70:xx:xx

RIP Options...

Press ESCAPE to leave this screen, and the filters should take effect immediately. It's wise to doublecheck the settings by checking that the filters are working properly.

  1. Make sure that users in general can surf the internet: this should work for all users.
  2. Insure that the mailserver can actually send mail, perhaps by sending a test message to an outside party.
  3. Finally, insure that non-server users cannot send mail. This is most commonly done by using telnet and attempting a connection to an outside mailserver's port 25/tcp. This connection should be blocked.

If any of these tests fail, it's best to remove the filter from the connection (the "Remove Filter Set" option in the last screen) and regroup.