Log with iptables which user is delivering email to port 25
Solution 1:
It would probably be better to have the policy for the OUTPUT table set to DROP and then to explicitly open the relevant ports etc but this will be quite specific to your environment so is an exercise for the OP.
You can use -m multiport
to match up to 15 ports e.g.
iptables -A OUTPUT -p tcp -m multiport --dports 25,587 -m owner --gid-owner mail -j ACCEPT
to allow the group mail to send on both ports or
You can log new outbound connections like this
iptables -A OUTPUT -p tcp -m multiport --dports 25,587 -m state --state NEW -j LOG --log-uid --log-prefix "LOCAL_DROPPED_SPAM "
and you get a message like this
Nov 11 12:52:26 hostname kernel: LOCAL_DROPPED_SPAM IN= OUT=eth0 SRC=192.168.254.181 DST=192.168.254.187 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=53476 DF PROTO=TCP SPT=49893 DPT=25 WINDOW=14600 RES=0x00 SYN URGP=0 UID=1000 GID=1000
iptables -A OUTPUT -p tcp -m multiport --dports 25,587 -j DROP
to finally drop all outbound connections on both ports.
Remember that iptables actions rules in the order they are in the table and first match wins so
- Place your ALLOW rules first
- Follow this with the LOG rules
- Then DROP