bastille-firewall customization

Discussion in 'Installation/Configuration' started by themark, Apr 8, 2015.

  1. themark

    themark Member

    Dear,
    i'm finding a way to permit the connection to the smtp daemon (from localhost to localhost) for only certain users.
    This because, actually with the perfect-server configuration the localhost relay is without auth, so basically, if I (or a spammer) write a simple script (on a defaced website) that open a socket to the 25, he can send email without any kind of limitation.

    An example of the script could be:

    PHP:
    //Server Address
    $SmtpServer="127.0.0.1";
    $SmtpPort="25"//default
    $SmtpUser="username"// no need to specify them
    $SmtpPass="password"// no need to specify them

    class SMTPClient{

            function 
    SMTPClient ($SmtpServer$SmtpPort$SmtpUser$SmtpPass$from$to$subject$body){

                    
    $this->SmtpServer $SmtpServer;
                    
    $this->SmtpUser base64_encode ($SmtpUser);
                    
    $this->SmtpPass base64_encode ($SmtpPass);
                    
    $this->from $from;
                    
    $this->to $to;
                    
    $this->subject $subject;
                    
    $this->body $body;

                    if (
    $SmtpPort == ""){
                            
    $this->PortSMTP 25;
                    }else{
                            
    $this->PortSMTP $SmtpPort;
                    }
            }

            function 
    SendMail (){

                    if (
    $SMTPIN fsockopen ($this->SmtpServer$this->PortSMTP)){
                            
    fputs ($SMTPIN"EHLO ".$HTTP_HOST."\r\n");
                            
    $talk["hello"] = fgets $SMTPIN1024 );
                            
    fputs($SMTPIN"auth login\r\n");
                            
    $talk["res"]=fgets($SMTPIN,1024);
                            
    fputs($SMTPIN$this->SmtpUser."\r\n");
                            
    $talk["user"]=fgets($SMTPIN,1024);
                            
    fputs($SMTPIN$this->SmtpPass."\r\n");
                            
    $talk["pass"]=fgets($SMTPIN,256);
                            
    fputs ($SMTPIN"MAIL FROM: <".$this->from.">\r\n");
                            
    $talk["From"] = fgets $SMTPIN1024 );
                            
    fputs ($SMTPIN"RCPT TO: <".$this->to.">\r\n");
                            
    $talk["To"] = fgets ($SMTPIN1024);
                            
    fputs($SMTPIN"DATA\r\n");
                            
    $talk["data"]=fgets$SMTPIN,1024 );
                            
    fputs($SMTPIN"DATA\r\n");
                            
    $talk["data"]=fgets$SMTPIN,1024 );
                            
    fputs($SMTPIN"To: <".$this->to.">\r\nFrom: <".$this->from.">\r\nSubject:".$this->subject."\r\n\r\n\r\n".$this->body."\r\n.\r\n");
                            
    $talk["send"]=fgets($SMTPIN,256);
                            
    //CLOSE CONNECTION AND EXIT ...
                            
    fputs ($SMTPIN"QUIT\r\n");
                            
    fclose($SMTPIN);
                            
    //
                    
    }
                    return 
    $talk;
            }
    }

    // Send

    if($_SERVER["REQUEST_METHOD"] == "POST"){

            
    $to $_POST['to'];
            
    $from $_POST['from'];
            
    $subject $_POST['sub'];
            
    $body $_POST['message'];
            
    $SMTPMail = new SMTPClient ($SmtpServer$SmtpPort$SmtpUser$SmtpPass$from$to$subject$body);
            
    $SMTPChat $SMTPMail->SendMail();
    }

    ?>

    <form method="post" action="">
    To:             <input type="text" name="to" />         <br>
    From:           <input type='text' name="from" />       <br>
    Subject:        <input type='text' name="sub" />        <br>
    Message         :<textarea name="message"></textarea>   <br>
                    <input type="submit" value=" Send " />  <br>
    </form>
    So in order to limit this, i would like to limit the 25 connection, only to certain users (eg. mail, vmail, mailman, root, postfix), so that the webuser could not open the socket.

    In order to archive that, i have customize the Bastille firewall with the pre-chain-split.sh (/etc/Bastille/firewall.d/pre-chain-split.sh) with the following rules:

    Code:
    #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner mail -j ACCEPT
    #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner vmail -j ACCEPT
    #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner mailman -j ACCEPT
    #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
    #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -m owner --uid-owner postfix -j ACCEPT
    
    #/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -j DROP
    #/sbin/iptables -A PUB_IN -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -j DROP
    #/sbin/iptables -A PUB_OUT -s 127.0.0.1 -d 127.0.0.1 -p tcp -m tcp --dport 25 -j DROP
    #/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable
    
    But this doesn't look works good (i can run correctly the script in any case).
    I can't figure out what i'm gonna to wrong there.

    Any helps?
    ty
     
  2. themark

    themark Member

    Dear,
    question is not clear enough? I'm too far to the solutions? English is not write well?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you really have a # in front of these lines? A # means that they are deactivated.
     
  4. themark

    themark Member

    No, was a wrong in copy&paste
    The iptables line are correctly charge (checked as always with iptables -L)...but doesn't works :-(
     

Share This Page