I think I have hit the wall with this one.
I have two WAN ports and single LAN.
I also have NAT configured and couple of rules for port forwarding from outside to my internal servers.
Now, what I am trying to do is to create filter which will block any computer/device from within my LAN to WAN on port 25 (except for approved servers).
I made a filter rule but it does not work (I discovered that this is by design); what I do not understand how can I achieve same goal in some other way?
What filter rule did you try?
I have tried with filter rules explained here:
I have also tried to make firewall rules which would (in my opinion) block all port 25 traffic from LAN to WAN (including my servers) but it did not work as well.
they are disabled now but here they are:
0 X ;;; Block spammer or infected users
chain=forward action=drop protocol=tcp src-address-list=spammer
dst-port=25
1 X ;;; Detect and add-list SMTP virus or spammers
chain=forward action=add-src-to-address-list protocol=tcp
address-list=spammer address-list-timeout=1d dst-port=25
connection-limit=30,32 limit=50,5
Here are my NAT rules as well:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-addresses=172.20.1.31 to-ports=25
protocol=tcp dst-address=xxx.xxx.112.227
in-interface=internet (port 2) dst-port=25
1 chain=dstnat action=dst-nat to-addresses=172.20.1.31 to-ports=443
protocol=tcp dst-address=xxx.xxx.112.227
in-interface=internet (port 2) dst-port=443
2 chain=dstnat action=dst-nat to-addresses=172.20.1.32 to-ports=443
protocol=tcp dst-address=xxx.xxx.105.29
in-interface=Internet (port 6) dst-port=443
3 chain=dstnat action=dst-nat to-addresses=172.20.1.31 to-ports=25
protocol=tcp dst-address=xx.xxx.105.29
in-interface=Internet (port 6) dst-port=25
4 chain=dstnat action=dst-nat to-addresses=172.20.1.32 to-ports=1723
protocol=tcp dst-address=xxx.xxx.105.29
in-interface=Internet (port 6) dst-port=1723
5 chain=dstnat action=dst-nat to-addresses=172.20.1.32 protocol=gre
dst-address=xxx.xxx.105.29 in-interface=Internet (port 6)
what I want to achieve is to allow only my mail server (at 172.20.1.31) to send smtp traffic outside of the network.
So 172.20.1.31 is a local server?
I think what you want to do is the following:
In forward filters have a high priority rule which allows accepts traffic from 172.20.1.31 to X.X.X.X port 25. Next have a rule which blocks traffic from any LAN address to port 25 via the outbound interface. Then have your existing forward filters ending with the drop all at the end. Remember it is the first matching filter that determines the action.
hm, this seems like it solved the problem, the only difference I see from the filter I have created and this one is that now I have defined outgoing interface (previous filters did not have outgoing interface defined)