Bastille firewall - basic instructions!

Discussion in 'General' started by msp, Oct 13, 2015.

  1. msp

    msp Member

    Hi, I'm simply trying to block all outgoing port 25. In shell (as root) I'm using this:

    iptables -I OUTPUT -p tcp --dport 25 -j DROP
    /etc/init.d/bastille-firewall restart

    however when I telnet to an SMTP server on port 25 it connects okay still.

    Here's what I'm doing, including my attempt to connect by telnet. Any ideas?

    -------

    root@doris:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
    fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    DROP tcp -- anywhere anywhere tcp dpt:smtp

    Chain fail2ban-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere
    root@doris:~# telnet alt4.gmail-smtp-in.l.google.com 25
    Trying 2404:6800:4008:c01::1a...
    Connected to alt4.gmail-smtp-in.l.google.com.
    Escape character is '^]'.
    220 mx.google.com ESMTP wf3si1330115pab.166 - gsmtp
     
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Are your sure that bastille-firewall does not flush your rules on (re)start? I think, you should use the two fw-commands in reverse order (or just add the rule for port 25 without restarting bastille-firewall.
     
  3. msp

    msp Member

    Hi Florian
    Thanks, I tried that. Then I ran iptables -L, and the firewall rule is present.
    However when I try to telnet out on port 25 to e.g. a gmail SMTP server, it communicates back to me!
    I'm SSH'ing as root running telnet, there's nothing silly like exceptions for root is there? I'm confused!
     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Your telnet command appears to have connected to an IPv6 address, and you created an IPv4 firewall rule. A quick glance at the bastille-firewall script looks like it doesn't support ip6tables at all.
    You might take a look at ufw, it creates a much more comprehensive (though more complex) firewall than what you have, and supports IPv6.
     
  5. florian030

    florian030 Well-Known Member HowtoForge Supporter

    use telnet -4 to force ipv4 connection or add the same rule to ipv6:
    ip6tables -I OUTPUT ....
     

Share This Page