block_ip.sh: new iptables to block all outbound connections to 25 which are not from "mail" (exim) or "root" (manual update required)

Version 1.43

Feature
Finished

Requires optional scripts and iptables: http://help.directadmin.com/item.php?id=380 VERSION=2 Added extra code to the iptables script to block all outbound emails on port 25, unless the uid is mail or root. "root" isn't really needed, so you can remove that line if you want to be extra secure (in case the box gets rooted) Basically, it requires all email leaving the server to be routed through exim (unless you're "root"). With this change, no User will be able to connect to port 25 on a remote box.. meaning, if an attacker going to spam from your server (using an insecure php script, usually) they'll need to spam through exim.. which has logs and limits. If you're already running the block_ip.sh script and use our iptables script (see id=380), then to get this VERSION=2 update of the iptables script, run the following: wget -O /etc/init.d/iptables http://files.directadmin.com/services/all/iptables DO not run the above wget command if you're not running our iptables script. If you've made any custom changes to your iptables script, you MUST redo them! eg: if ssh is not on 22, you must re-set the port in the script. If you didn't manually install the iptables script yourself, then you're not likely using it, so if you want this change, use the id=380 guide normally (below). Related: http://help.directadmin.com/item.php?id=380 http://files.directadmin.com/services/all/iptables actual iptables code used: #SMTP output, only allow mail to send remotely. $IPTABLES -A OUTPUT -m owner --uid-owner mail -p tcp --dport 25 -j ACCEPT $IPTABLES -A OUTPUT -m owner --uid-owner root -p tcp --dport 25 -j ACCEPT $IPTABLES -A OUTPUT -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 25 -j REJECT Feel free to remove the whole line containing "--uid-owner root" if you don't need it. I personally do a lot of debugging with telnet to port 25, hence I'm leaving it open. This script does not apply to FreeBSD. -------------- CSF Similar settings for CSF: https://forum.directadmin.com/showthread.php?t=51996&p=267427#post267427 https://forum.directadmin.com/showthread.php?t=51923&p=267072#post267072 -------------- TESTING To ensure it's working, you should be able to run these commands and get a similar block for admin, while it still works for root (note: exim sends with "mail", which doesn't have an ssh shell, hence we add root too) [root@server ~]# id uid=0(root) gid=0(root) groups=0(root) [root@server ~]# su - admin [admin@server ~]$ telnet directadmin.com 25 Trying 216.144.255.179... telnet: connect to address 216.144.255.179: Connection refused [admin@server ~]$ logout [root@server ~]# id uid=0(root) gid=0(root) groups=0(root) [root@server ~]# telnet directadmin.com 25 Trying 216.144.255.179... Connected to directadmin.com. Escape character is '^]'. 220 jbmc-software.com ESMTP Exim 4.86.2 Fri, 08 Apr 2016 16:06:28 -0600 QUIT 221 jbmc-software.com closing connection Connection closed by foreign host. [root@server ~]#

Interested to try DirectAdmin? Get a 30-day Free Trial!