IPTables- Why Does this not work ?

[gripped]

Hi

I have an smtp relayhost on one IP of my network. (relays mail for two dedicated servers I have elsewhere).
I got report of spam today but I've been thorough the logs and have examples of the spam headers so I know its not coming from the relayhost (I have to investigate which of the kids computers has the bot on it but that's for later)

So anyway I thought I could create a rule in /jffs/scripts/firewall-start to only allow one IP through the router on port 25

iptables -A FORWARD -p tcp --dport 25  ! -s 192.168.1.19 -j DROP

it does run as I see this in iptables -L

DROP       tcp  -- !picmail              anywhere            tcp dpt:smtp

(picmail is the hostname)
But the router drops everything to 25. This is in the LOG

May 14 18:51:56 kernel: DROP <4>DROPIN=br0 OUT=ppp0 <1>SRC=192.168.1.19 DST=5.152.193.75 <1>LEN=52 TOS=0x10 PREC=0x00 TTL=63 ID=43329 DF PROTO=TCP <1>SPT=46499 DPT=25 SEQ=1312024236 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405AC0101040201030304)

I have tried the INPUT chain as well . Still blocks all port 25 packets.
I have also tried the versions below (separately) amongst other things

iptables -A FORWARD -p tcp --dport 25  -s ! 192.168.1.19 -j DROP

iptables -A INPUT -p tcp -s 192.168.1.19 --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP

iptables -A FORWARD -p tcp -s 192.168.1.19 --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j DROP

I shouldn't be surprised as I always struggle with iptables but most of the stuff I've come across while searching seem to suggest my rule should work ?

Any ideas folks ?

 

[RMerlin]

Try specifying the interface, otherwise you would block incoming mail that came from the outside and is destined to you, originating from someone else's IP.

Basically what you want would be two rules:
anything from wan to br0 is allowed
reject br0 to wan if source is not your server and port is 25.

Another way to implement it - see how I implemented DNS access restriction on the Wiki.

https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips

 

[jobongo]

Do you have any other rules before the one you are adding that would drop traffic from 192.168.1.19? Have you tried using insert instead of append so that the rule is looked at first. e.g.

iptables -I FORWARD -p tcp --dport -s ! 192.168.1.19 -j DROP

That line does look like it would work...

 

[gripped]

Hi again

The router was playing up yesterday. I went out for a beer and when I returned even simple rules to block all port 25 traffic seemed to be ignored and a reboot wasn't helping. When I powered down the router it lost its settings. (and no it wasn't the beer!)

However I now have something which works. I think using -I instead of -A did make a difference but I haven't retested my previous rules, as now it works I'm leaving well alone !

/jffs/scripts/firewall-start 

#!/bin/sh
iptables -N SMTPLOG
iptables -A SMTPLOG -m limit --limit 2/min -j LOG --log-prefix "SMTP-Dropped: " --log-level 4
iptables -A SMTPLOG -j DROP
iptables -I FORWARD -p tcp -i br0 --dport 25 -s ! 192.168.1.19 -j SMTPLOG

Thanks for your help

(edited to add: -i br0)

 

[jobongo]

I was backwards in the statement about blocking traffic from 192.168.1.19 but the rule was correct to block everything but .19. I had a similar problem with using -A in iptables because of a previous rule that negated the one I added. Glad it helped.