Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (3) →
Gary Roberts
Gary Roberts
Offline
Task

Proofpoint 1-to-1NAT etc

Resolved
0 votes
Greetings All;

We've recently decided to start filtering email using Proofpoint. In doing so, in past jobs I would configure a firewall to only allow SMTP connections on Port 25 from Proofpoint's IP's. They are listed here:


67.231.152.0/24
67.231.153.0/24
67.231.154.0/24
67.231.155.0/24
67.231.156.0/24
67.231.144.0/24
67.231.145.0/24
67.231.146.0/24
67.231.147.0/24
67.231.148.0/24
148.163.128.0/19 Breakdown
For the /19 please note the subnet mask is 255.255.224.0



We have 2 domains being filtered with Proofpoint, and the 1 to 1 NAT is on 2 seperate IPs that we have. One is tied to the phsyical interface (em2), the other is a Virtual Interface (em2:2)

I've done some googling, and it doesn't look like we can do this through the GUI, it has to be done through the command line. The problem is, I am not very well versed with iptables etc.

What is the easiest way to do this? We are a running ClearOS Business 7 (not 100% sure what subversion, yes I know a new release just came out). We do pay, so maybe I should open a ticket?

Thanks for the help :D
Gary
In Firewall
Thursday, May 23 2019, 09:57 PM
Subscribe via email
Share this post:
Responses (3)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Friday, May 24 2019, 08:50 PM - #Permalink
    Resolved
    0 votes
    Hmm. I didn't twig the 1:1 NAT. Is your email on your gateway or behind it? I am not so familiar with the 1:1 NAT but these rules assume the mail server is your gateway. If the mail server is on one of your NAT'd devices, you'll need FORWARD rule instead and it becomes a little trickier. If your mail server is on your gateway, my rules should work for all your WAN IP's/virtual interfaces, but does it matter? Why would you need to limit it? You can, either by interface or destination IP.
    The reply is currently minimized Show

  • Accepted Answer

    Gary Roberts
    Gary Roberts
    Offline
    Friday, May 24 2019, 08:27 PM - #Permalink
    Resolved
    0 votes
    Awesome. Thanks Nick.

    Yah, touching custom firewall rules is ... yah --- I'm afraid. That stinks that custom rules is out of the scope of a support contract, but I can understand why.

    I'll test these rules, but out of curiosity, won't they do away with the 1to1 NAT? If I recall, I could use -i em2 or -i em2:2

    I'll do some testing. Thanks again Nick!!
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Friday, May 24 2019, 07:27 AM - #Permalink
    Resolved
    0 votes
    What a grotty set of subnets as they don't simplify too well! In the main firewall, just don't open port 25. Then add custom firewall rules:

    
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.144.0/22 -j ACCEPT
    
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.148.0/24 -j ACCEPT
    
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.152.0/22 -j ACCEPT
    
$IPTABLES -I INPUT -p tcp --dport 25 -s 67.231.156.0/24 -j ACCEPT
    
$IPTABLES -I INPUT -p tcp --dport 25 -s 148.163.128.0/19 -j ACCEPT
    Or you can do individual rules fro each listed subnet. If you need mobile and laptop devices to relay through you, use SMTPS on port 465.

    FWIW custom firewall rules are really outside the scope of the support contract. There is a real possibility of making a mess of the firewall and you need to be prepared to do some command line stuff if the firewall goes into a restart loop or panics.

    You should test each rule at the command line first, replacing "$IPTABLES" with "iptables", and, only if it is accepted without an error, put it in the Custom Firewall rules (with "$IPTABLES" and not "iptables")
    The reply is currently minimized Show
Your Reply