What's new

How to block port 25 for all private ip (example: 192.168.1.2-253) except 192.168.1.254

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pvanthony

New Around Here
Hi,

Plan to have a email server in house and want to block port 25 for outgoing for all the internal computers except for the server which is on 192.168.1.254.
Did some testing and was able to block port 25 outgoing for all computers. But could not figure out how to allow just one computer to send out emails on port 25.

Need advice on how to get this done.

P.V.Anthony

Using Asus RT-AC2600.
 
Can you remove the "How To" prefix from your title please as you are asking a question not publishing a how-to guide. Thanks.
 
Here's what I did...

Open /jffs/scripts/firewall-start. Yours may be empty. Mine is pretty large so I'll extract the relevant bits...

Code:
#!/bin/sh

# this makes a match-set called "Mail-Enabled", which makes the next part a bit easier to do/read
ipset create Mail-Enabled hash:ip

# one line per IP you want to enable for outgoing mail. Obviously these need to be static or otherwise fixed IPs
# substitute your LAN IP parts as appropriate
ipset add Mail-Enabled 192.168.1.x
ipset add Mail-Enabled 192.168.1.y

# enable your desired machines as added in the list above. You can add additional ports
iptables -I FORWARD 1 -p tcp --match multiport --dports 25,587 -m set --match-set Mail-Enabled src -j ACCEPT

# block everything else.
iptables -I FORWARD 2 -p tcp -s 192.168.1.0/24 --match multiport --dports 25,2525,587,465 -j REJECT

Other iptables experts may have more to add or change, but this approach has worked flawlessly for me for quite some time.
 
Here's what I did...

Open /jffs/scripts/firewall-start. Yours may be empty. Mine is pretty large so I'll extract the relevant bits...
This would only work if he is using Merlin's firmware, which I assume he isn't as he's posted in the "Official" forum.
 
Here's what I did...

Open /jffs/scripts/firewall-start. Yours may be empty. Mine is pretty large so I'll extract the relevant bits...

Code:
#!/bin/sh

# this makes a match-set called "Mail-Enabled", which makes the next part a bit easier to do/read
ipset create Mail-Enabled hash:ip

# one line per IP you want to enable for outgoing mail. Obviously these need to be static or otherwise fixed IPs
# substitute your LAN IP parts as appropriate
ipset add Mail-Enabled 192.168.1.x
ipset add Mail-Enabled 192.168.1.y

# enable your desired machines as added in the list above. You can add additional ports
iptables -I FORWARD 1 -p tcp --match multiport --dports 25,587 -m set --match-set Mail-Enabled src -j ACCEPT

# block everything else.
iptables -I FORWARD 2 -p tcp -s 192.168.1.0/24 --match multiport --dports 25,2525,587,465 -j REJECT

Other iptables experts may have more to add or change, but this approach has worked flawlessly for me for quite some time.
Thank you for sharing this firewall script. I am using the official firmware. Will it work on the official firmware?
 
Gah! Apologies, I totally missed the fact I'd switched forums.

Oh well, perhaps a reason to upgrade. :cool:
You are correct. I will have to upgrade. Unfortunately the router used now is the RT-AC2600 and it is not supported. :-(
Might have to get a model that is supported.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top