Problem s viry na SMTP

[Petr Balas]

Petr Vyhnal wrote:

> Pokud to dobre chapu, tak timto ale zakazete pristup na veskere vnejsi
> SMTP a uzivatele dostanou timeout chybu. Mozna ze lepsi zpusob bude
> pouzit REDIRECT, ktery prevezme paket posilany na externi SMTP a doruci
> jej lokalnimu SMTP. Viz.:
> 
> 
>       REDIRECT
> 
> This target is only valid in the *nat* table, in the *PREROUTING* and
> *OUTPUT* chains, and user-defined chains which are only called from
> those chains. It alters the destination IP address to send the packet to
> the machine itself (locally-generated packets are mapped to the
> 127.0.0.1 address). It takes one option:
> 
> *--to-ports* /port/[-/port/]
>     This specifies a destination port or range of ports to use: without
>     this, the destination port is never altered. This is only valid if
>     the rule also specifies *-p tcp* or *-p udp*.
> 
>>  /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -j DROP

Prvni reseni ma urcity puvab pokud je mozne bez probemu uzivatele donutit
pouzivat urcene SMTP a pritom nemate ty uzivatele prne pod kontrolou. Pak
pakety jdouci na vnejsi SMTP jsou od zavirovanych pocitacu a ty prece
nechceme nikam poustet ze?

Jinak presmerovani na interni SMTP server taky pouzivam - je to elegantni
reseni pro notebookare - nastavi si smtp.t-email.cz a pokud jsou ve firme,
tak se jim tise presmeruje na lokalni smtp server a vse jim funguje a nikde
menusi nic prenastavovat.

Pokud je mailserver na routeru tak staci:
iptables -t nat -A PREROUTING -i eth0 -p tcp  --dport 25 -j REDIRECT
kde eth0 je vnitrni rozhrani.

-- 
Petr Balas (petr at balas dot cz)