Greetings All;
We've recently decided to start filtering email using Proofpoint. In doing so, in past jobs I would configure a firewall to only allow SMTP connections on Port 25 from Proofpoint's IP's. They are listed here:
67.231.152.0/24
67.231.153.0/24
67.231.154.0/24
67.231.155.0/24
67.231.156.0/24
67.231.144.0/24
67.231.145.0/24
67.231.146.0/24
67.231.147.0/24
67.231.148.0/24
148.163.128.0/19 Breakdown
For the /19 please note the subnet mask is 255.255.224.0
We have 2 domains being filtered with Proofpoint, and the 1 to 1 NAT is on 2 seperate IPs that we have. One is tied to the phsyical interface (em2), the other is a Virtual Interface (em2:2)
I've done some googling, and it doesn't look like we can do this through the GUI, it has to be done through the command line. The problem is, I am not very well versed with iptables etc.
What is the easiest way to do this? We are a running ClearOS Business 7 (not 100% sure what subversion, yes I know a new release just came out). We do pay, so maybe I should open a ticket?
Thanks for the help
Gary
We've recently decided to start filtering email using Proofpoint. In doing so, in past jobs I would configure a firewall to only allow SMTP connections on Port 25 from Proofpoint's IP's. They are listed here:
67.231.152.0/24
67.231.153.0/24
67.231.154.0/24
67.231.155.0/24
67.231.156.0/24
67.231.144.0/24
67.231.145.0/24
67.231.146.0/24
67.231.147.0/24
67.231.148.0/24
148.163.128.0/19 Breakdown
For the /19 please note the subnet mask is 255.255.224.0
We have 2 domains being filtered with Proofpoint, and the 1 to 1 NAT is on 2 seperate IPs that we have. One is tied to the phsyical interface (em2), the other is a Virtual Interface (em2:2)
I've done some googling, and it doesn't look like we can do this through the GUI, it has to be done through the command line. The problem is, I am not very well versed with iptables etc.
What is the easiest way to do this? We are a running ClearOS Business 7 (not 100% sure what subversion, yes I know a new release just came out). We do pay, so maybe I should open a ticket?
Thanks for the help
Gary
In Firewall
Share this post:
Responses (3)
-
Accepted Answer
Hmm. I didn't twig the 1:1 NAT. Is your email on your gateway or behind it? I am not so familiar with the 1:1 NAT but these rules assume the mail server is your gateway. If the mail server is on one of your NAT'd devices, you'll need FORWARD rule instead and it becomes a little trickier. If your mail server is on your gateway, my rules should work for all your WAN IP's/virtual interfaces, but does it matter? Why would you need to limit it? You can, either by interface or destination IP. -
Accepted Answer
Awesome. Thanks Nick.
Yah, touching custom firewall rules is ... yah --- I'm afraid. That stinks that custom rules is out of the scope of a support contract, but I can understand why.
I'll test these rules, but out of curiosity, won't they do away with the 1to1 NAT? If I recall, I could use -i em2 or -i em2:2
I'll do some testing. Thanks again Nick!! -
Accepted Answer
What a grotty set of subnets as they don't simplify too well! In the main firewall, just don't open port 25. Then add custom firewall rules:
Or you can do individual rules fro each listed subnet. If you need mobile and laptop devices to relay through you, use SMTPS on port 465.
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.144.0/22 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.148.0/24 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.152.0/22 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.156.0/24 -j ACCEPT
$IPTABLES -I INPUT -p tcp --dport 25 -s 148.163.128.0/19 -j ACCEPT
FWIW custom firewall rules are really outside the scope of the support contract. There is a real possibility of making a mess of the firewall and you need to be prepared to do some command line stuff if the firewall goes into a restart loop or panics.
You should test each rule at the command line first, replacing "$IPTABLES" with "iptables", and, only if it is accepted without an error, put it in the Custom Firewall rules (with "$IPTABLES" and not "iptables")
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »