OpenVPN block SMTP Access Server completely

0

I've tried almost all iptables rules to block smtp on openvpn server but still clients clients can access remote smtp servers on port 25.

I'm using openvpn access server. It's creating two interfaces as0t0 and as0t1.

All users assigned ips from 172.16.0.0/12.

Please help me what rules can be written to resolve this issue.

Iptables rules set by openvpn access server:

#Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016
*nat
:PREROUTING ACCEPT [566:72410]
:POSTROUTING ACCEPT [36:2340]
:OUTPUT ACCEPT [36:2340]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST 
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST 
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE 
-A AS0_NAT -o eth0 -j SNAT --to-source 91.13.18.170 
-A AS0_NAT -j ACCEPT 
-A AS0_NAT_POST_REL_EST -j ACCEPT 
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT 
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST 
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST 
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST 
-A AS0_NAT_PRE -j AS0_NAT 
-A AS0_NAT_PRE_REL_EST -j ACCEPT 
-A AS0_NAT_TEST -o as0t+ -j ACCEPT 
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT 
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT 
-A AS0_NAT_TEST -j AS0_NAT 
COMMIT
# Completed on Sun Apr 10 13:03:56 2016
# Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016
*mangle
:PREROUTING ACCEPT [146:10130]
:INPUT ACCEPT [6422:1226373]
:FORWARD ACCEPT [8289:2947415]
:OUTPUT ACCEPT [5446:2764996]
:POSTROUTING ACCEPT [13735:5712411]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST 
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN 
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT 
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff 
-A AS0_MANGLE_TUN -j ACCEPT 
COMMIT
# Completed on Sun Apr 10 13:03:56 2016
# Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3970:2307554]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT 
-A INPUT -i lo -j AS0_ACCEPT 
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE 
-A INPUT -d 91.13.18.170/32 -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT 
-A INPUT -d 91.13.18.170/32 -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT 
-A INPUT -d 91.13.18.170/32 -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -p udp -m udp --dport 25 -j DROP 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -i eth0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -i as0t0 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -i as0t1 -p tcp -m tcp --dport 25 -j DROP 
-A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable 
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT 
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE 
-A FORWARD -o as0t+ -j AS0_OUT_S2C 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -i eth0 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t0 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t1 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i lo -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t+ -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t0 -p tcp -m tcp --dport 25 -j DROP 
-A FORWARD -i as0t1 -p tcp -m tcp --dport 25 -j DROP 
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL 
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP 
-A OUTPUT -p tcp -m tcp --dport 25 -j DROP 
-A AS0_ACCEPT -j ACCEPT 
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT 
-A AS0_IN -j AS0_IN_POST 
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000 
-A AS0_IN_NAT -j ACCEPT 
-A AS0_IN_POST -o as0t+ -j AS0_OUT 
-A AS0_IN_POST -j DROP 
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN 
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN 
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN 
-A AS0_IN_PRE -j ACCEPT 
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000 
-A AS0_IN_ROUTE -j ACCEPT 
-A AS0_OUT -j AS0_OUT_POST 
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP 
-A AS0_OUT_LOCAL -j ACCEPT 
-A AS0_OUT_POST -j DROP 
-A AS0_OUT_S2C -j AS0_OUT 
-A AS0_WEBACCEPT -j ACCEPT 
COMMIT
# Completed on Sun Apr 10 13:03:56 2016

Thank you!

iptables
smtp
openvpn
asked on Server Fault Apr 10, 2016 by Michaek

1 Answer

0

Did you check if your FORWARD rules are matching any VPN traffic? Try iptables -L -n -v and send a few packets through the tunnel to check whether the counters are increasing.

Your fourth FORWARD rule (-A FORWARD -j REJECT --reject-with icmp-host-prohibited) is dropping all traffic which as not been accepted so far. So your following rules in FORWARD which block port 25 are shadowed anyway (they cannot be reached).

Depending on your OpenVPN server configuration, OpenVPN may be routing the packets by itself and not sending them through your FORWARD chain.

answered on Server Fault Apr 17, 2016 by corny

User contributions licensed under CC BY-SA 3.0