cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
593
Views
0
Helpful
2
Replies

How to stop outgoing mail unless it is using smtp only

jonl711
Level 1
Level 1

I remember quite some time ago hearing that spam mail on an infected internal system can use any port to send mail out.  What I would like to setup is a set of firewall rules to only allow certain packets out through their correct ports, such as DNS request through port 53, smtp through 25, etc.. My question is if I do this will it stop any other traffic that attempts to open a port from the internal to the external. 

What acl do I use to tell the router to only allow those packets that are allowed out?

What I have so far is:

ip nat inside source static tcp 192.168.xxx.xxx 25 203.xxx.xxx.xxx 25 extendable

If I have the following am I allowing all ip packets out?

interface Vlan1

description Local LAN Network

no ip address

ip access-group 101 in

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

bridge-group 1

bridge-group 1 spanning-disabled

hold-queue 32 in

So, if I'm right I'm allowing any ip packet in and out of any network and allowing ip packets out on network 192.168.xxx.xxx

access-list 101 permit ip any any

access-list 101 permit ip 192.168.xxx.xxx 0.0.0.255 any

If the above is true can I also have the following to allow smtp, ssh, dns, http and https? in other words to tighten the outgoing packets?

access-list 101 permit tcp 192.168.xxx.xxx any eq 25

access-list 101 permit tcp 192.168.xxx.xxx any eq 23

access-list 101 permit tcp 192.168.xxx.xxx any eq 53

access-list 101 permit tcp 192.168.xxx.xxx any eq 80

access-list 101 permit tcp 192.168.xxx.xxx any eq 143

Thanks for any assistance.

Jon

2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

Jon-

ACL listing is very important. The router will read from the top down and as soon as it finds a match it will forward/drop depending on the ACL. If a user is infected and wants to send email out, the source port will be between 1025 and 65535. However the destination port will be 25. On your router, using the ACL, allow your email server to send out on port 25 and block everyone else-

access-list 101 permit tcp host 192.168.x.y any eq 25 (your email server)

access-list 101 deny tcp any any eq 25

You will want to remove (better) the ip any any ACE or move it to the bottom.

varrao
Level 10
Level 10

Hi Jon,

That is correct, to  enhance security, you can just specify the traffic that needs to be allowed from inside to outside and the rest of the non-required ports would be blocked automatically. You are right.

Thanks,

Varun

Thanks,
Varun Rao
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: