Adding rules to IPTables/Postfix ports

Discussion in 'Installation/Configuration' started by davew, Jun 11, 2009.

  1. davew

    davew New Member

    I need to accept smtp traffic on additional ports to 25 because some of my clients have ISPs that block port 25 traffic to anything other than their ISPs mail servers.

    A while ago I implemented this with a quick workaround using IPTables where I added the rule...
    -A PREROUTING -p tcp -m tcp --dport 587 -j REDIRECT --to-ports 25

    to /etc/sysconfig/iptables

    When I turn the firewall on in ISPConfig 3, the bastille script (I assume) rewrites iptables and discards my redirect.

    Is there an easy way to add my rerouting rule so it "sticks" or any other way of allowing postfix to listen on more than one port ? I assume I need to use /usr/local/ispconfig/server/conf-custom/ for the former ?

    Am I correct in thinking that this prerouting rule also allows fail2ban (on port 25) to work correctly for this new port ?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no way implemented to add any custom rules. It might get added in later versions.
  3. davew

    davew New Member

    OK, thanks. I'll change the postfix config to get it to listen on both ports then.
  4. rbartz

    rbartz Member HowtoForge Supporter

    Actually, there may be an easy way, at least on Fedora Linux most or all Cores and maybe in all Linux distros using Bastille.

    In /etc/Bastille you should have or can create a directory named firewall.d. In that directory, you can add a file that is run on server reboot, thus restoring your "special" rules such as blocking a Nigerian ISP that has some nasty fellows who are constantly probing your server....
    cd /etc/Bastille
    mkdir firewall.d

    INSERT the iptables COMMANDS you need, for example

    iptables -I INPUT -m iprange --src-range -j DROP
    iptables -I OUTPUT -m iprange --dst-range -j DROP

    Save the file, then when iptables starts at boot it loads these rules.

    I have found this to be an effective way to permanently deal with a lot of the server brute-force-attacks originating again and again in some countries, and to forever block someone who used cracked SMTP logins to spam.

    Any iptables rules in the file are run, but be sure that the rules are valid and tested from the command line so that you don't break iptables on boot.


Share This Page