How to block port 25 for all private ip (example: 192.168.1.2-253) except 192.168.1.254

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

pvanthony

New Around Here
Hi,

Plan to have a email server in house and want to block port 25 for outgoing for all the internal computers except for the server which is on 192.168.1.254.
Did some testing and was able to block port 25 outgoing for all computers. But could not figure out how to allow just one computer to send out emails on port 25.

Need advice on how to get this done.

P.V.Anthony

Using Asus RT-AC2600.
 

ColinTaylor

Part of the Furniture
Can you remove the "How To" prefix from your title please as you are asking a question not publishing a how-to guide. Thanks.
 

bpsmicro

New Around Here
Here's what I did...

Open /jffs/scripts/firewall-start. Yours may be empty. Mine is pretty large so I'll extract the relevant bits...

Code:
#!/bin/sh

# this makes a match-set called "Mail-Enabled", which makes the next part a bit easier to do/read
ipset create Mail-Enabled hash:ip

# one line per IP you want to enable for outgoing mail. Obviously these need to be static or otherwise fixed IPs
# substitute your LAN IP parts as appropriate
ipset add Mail-Enabled 192.168.1.x
ipset add Mail-Enabled 192.168.1.y

# enable your desired machines as added in the list above. You can add additional ports
iptables -I FORWARD 1 -p tcp --match multiport --dports 25,587 -m set --match-set Mail-Enabled src -j ACCEPT

# block everything else.
iptables -I FORWARD 2 -p tcp -s 192.168.1.0/24 --match multiport --dports 25,2525,587,465 -j REJECT

Other iptables experts may have more to add or change, but this approach has worked flawlessly for me for quite some time.
 

ColinTaylor

Part of the Furniture
Here's what I did...

Open /jffs/scripts/firewall-start. Yours may be empty. Mine is pretty large so I'll extract the relevant bits...
This would only work if he is using Merlin's firmware, which I assume he isn't as he's posted in the "Official" forum.
 

pvanthony

New Around Here
Here's what I did...

Open /jffs/scripts/firewall-start. Yours may be empty. Mine is pretty large so I'll extract the relevant bits...

Code:
#!/bin/sh

# this makes a match-set called "Mail-Enabled", which makes the next part a bit easier to do/read
ipset create Mail-Enabled hash:ip

# one line per IP you want to enable for outgoing mail. Obviously these need to be static or otherwise fixed IPs
# substitute your LAN IP parts as appropriate
ipset add Mail-Enabled 192.168.1.x
ipset add Mail-Enabled 192.168.1.y

# enable your desired machines as added in the list above. You can add additional ports
iptables -I FORWARD 1 -p tcp --match multiport --dports 25,587 -m set --match-set Mail-Enabled src -j ACCEPT

# block everything else.
iptables -I FORWARD 2 -p tcp -s 192.168.1.0/24 --match multiport --dports 25,2525,587,465 -j REJECT

Other iptables experts may have more to add or change, but this approach has worked flawlessly for me for quite some time.
Thank you for sharing this firewall script. I am using the official firmware. Will it work on the official firmware?
 

pvanthony

New Around Here
Gah! Apologies, I totally missed the fact I'd switched forums.

Oh well, perhaps a reason to upgrade. :cool:
You are correct. I will have to upgrade. Unfortunately the router used now is the RT-AC2600 and it is not supported. :-(
Might have to get a model that is supported.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top