New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
I want to block SMTP on OpenVPN server
hey buddy's
i provide private openvpn server to my few friends only...
but i want to block there Microsoft Outlook or similar mail clients from sending/receiving emails...or even connecting...not web based mail clients
is there anyway to do it...?
i mean is there any configuration which i can make on my server to achieve this....
please help me out....
Comments
Block with iptables outbound traffic to ports 25/587?
Iptables to block port 25 and 587 for smtp
pop3 uses ports 110 and 995
Imap uses ports 143 and 993
If they use outlook to connect to a MS Exchange server you should block the mapi port but then they could configure it to use rpc over http and then you need to either block their mailserver by name or ip or block port 80/443
80/443
@dazedandconfused
i have already tried that its not working..
@MikHo
i can't block port 443 or 80 because they use it in openvpn config files...
and pop3 and imap port blocking is also not working...
@mca295188 just drop the forwarding for those mentioned port and you're done
@mca295188 I would suggest a slightly different more security minded approach. Disallow all traffic for any ports used by running/intalled mail services EXCEPT from connection A and B where they are respectively your own and localhost for the server. If port blocking with iptables is "not working" you should look into that. If you mean those specific ports, the mentioned 25/587 are not stopping the traffic but the rules are correct please check the aforementioned services and what ports they use. I would suspect you may want to also block ports used for SSL/TLS etc, such as 465 585 993 995 and so on. All of this can be confirmed by simply analyzing some running process output from a command line or checking your config files.
let me describe all of it again....
there is no mail service/application installed on my VPS...
on my vps there is only openvpn server is installed and there is only 3 iptables rules i set out by default...
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -o venet0:0 -j SNAT --to-source xxx.xxx.xxx.xxx
iptables -t nat -A POSTROUTING -s 1.0.0.0/24 -j SNAT --to-source xxx.xxx.xxx.xxx
so now problem is....client use Outlook at their end...on which i don't have any control...
so is there anything i can do to stop them using mail client like Outlook etc...(Not web based mail client)
i think now i have provided proper description about my problem..
and many many thanks for replying....you guys are always ready to help and that's amazing...
Why can't you just block the ports on interface itself?
/sbin/iptables -A OUTPUT -i tun0 -p tcp --dport 587-j DROP
/sbin/iptables -A OUTPUT -i tun0 -p tcp --dport 25 -j DROP
It should drop all outgoingTCP packets on the specified ports from the OpenVPN TUN interface, this shouldn't affect your OpenVPN server, but only its clients.
You don't need all the 3 rules, they are duplicated.
You simply have iptables -A POSTROUTING -t nat -s vpnIP(optional) -o venet0(optional) -j SNAT --to-source serverIP
As i suggested earlier he could just drop the port that he don't want the VPN client to access to. It doesn't need to be OUTPUT but FORWARD
eg. /sbin/iptables -A FORWARD -p tcp --dport 25 -j DROP
I gave you the answer.
If you want to block sending emails, block 25 & 587 unless Outlook is connecting to an Exchange server. If it's an Exchange server you need to block mapi traffic. However Outlook can be configured to use something called "Outlook Anywhere" which tunnels the traffic (send and recieve) over regular http or https.
If they are using Exchange server I would block the mailserver IP. Easier that way
Here's the easiest way : You said that your private OpenVPN server is only for your friends. Simply ask your friends not to send email through your VPN.
Also, since you're talking about ports, block port 26. Many home ISPs block port 25 for SMTP, so 26 has become a non-standard equivalent for port 25 SMTP.
@Makenai
so i have to follow all those rules on every tunnel interface na...
@johnlth93
is there anyway to block all ports and then open few ports on tcp/udp which i use in my openvpn server
You can have a rule that blocks everything and then add rules that allows different ports above it. That way you can open up ports as you go.
@Mikho
thanks....can you please provide some example because i don't know that much about iptables...
I think you might have confused between INPUT, OUTPUT and FORWARD rules in iptables
It's either you're confused or you make me confused. You said to block smtp port at the first place i assume you mean you don't want you vpn client to tunnel that network through your vpn server, so i suggested to drop it under FORWARD rules which will work great without sacrificing your server's ability to access to these port but only vpn clients won't be able to access them.
But then you said you want to block all port except the one you hosting openvpn server on, which is the INPUT rules.
So now, what exactly you want to achieve?
Anyway back on what you asked me, yes you can block all port and only allow some. Pretty you will know how if you googled it. But hey, why not let me help you out. Here you go http://bit.ly/11L0EQF
@johnlth93
thanks buddy that forward iptables rules make the outlook not working...means its not even getting connected...
these are the modification i made in iptables...
-A FORWARD -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -p udp -m udp --dport 25 -j DROP
-A FORWARD -p tcp -m tcp --dport 587 -j DROP
-A FORWARD -p udp -m udp --dport 587 -j DROP
-A FORWARD -p tcp -m tcp --dport 26 -j DROP
-A FORWARD -p udp -m udp --dport 26 -j DROP
-A FORWARD -p udp -m udp --dport 110 -j DROP
-A FORWARD -p tcp -m tcp --dport 110 -j DROP
-A FORWARD -p tcp -m tcp --dport 995 -j DROP
-A FORWARD -p udp -m udp --dport 995 -j DROP
-A FORWARD -p udp -m udp --dport 143 -j DROP
-A FORWARD -p tcp -m tcp --dport 143 -j DROP
-A FORWARD -p tcp -m tcp --dport 993 -j DROP
-A FORWARD -p udp -m udp --dport 993 -j DROP
now tell me few thing more if you don't have any problem...
these rules are enough or there are some others ports also which can be used to make the outlook or similar desktop mail client works...then please tell me all those ports i will block them all...
and these rules will not block them to use web based mail website like gmail, yahoo etc...i don't want to block their access to web based mail websites..
thanks again for helping me out buddy...
I am not exactly sure as i don't use desktop email client i only use web based email client.
I can't tell if those desktop email client allow port changing but i would say it's kinda pointless unless the email server allow those client to connect on alternative port.
Usually by blocking standard SMTP/IMAP/POP3 ports will be pretty much sufficient.
IIRC, these email ports are using tcp so you don't need to block udp. Not very sure though.
-edit-
You won't be blocking their access to web based email client as they are usually on port 80/443
@johnlth93
many many thanks for helping me out... and all others too....
No problem and good luck
Make sure you save your iptables rules and load them on boot.
hey @johnlth93
can you provide me the rules starting from word iptables instead of
/sbin/iptables -A FORWARD -p tcp --dport 25 -j DROP
so that i can include that with other rules in rc.local
you can just include what i mentioned into rc.local
it's the exact path of iptables
you can just include what i mentioned into rc.local it's the exact path of iptables
And what is so hard to pasting without copying /sbin/
@johnlth93
i don't have any problem in that...
actually last time i followed your procedure only...and also saved the iptables...
but now those rules are not there in iptables...
You'll have to save them somehow to load them from a script some how.
or they will be gone once reboot.
yeah its done now...thanks for helping again....
I just wrote up this script, will this be sufficient or is there anything else that should be changed/added?
Also if I have openvpn running on udp 1194 (10.8.0.0/24) and tcp 443 (10.8.1.0/24 ) will those be covered as well?
Reboot or:
bash /etc/rc.localI don't get it. Dosen't my script already cover all that and add it to rc.local?
Further yet:
iptables -A FORWARD -p tcp -m multiport --dports 25,587,26,110,995,143,993 -j DROP
iptables -A FORWARD -p udp -m multiport --dports 25,587,26,110,995,143,993 -j DROP