Log with iptables which user is delivering email to port 25

linux iptables spam smtp

Solution 1:

It would probably be better to have the policy for the OUTPUT table set to DROP and then to explicitly open the relevant ports etc but this will be quite specific to your environment so is an exercise for the OP.

You can use -m multiport to match up to 15 ports e.g. 

iptables -A OUTPUT -p tcp -m multiport --dports 25,587 -m owner --gid-owner mail -j ACCEPT

to allow the group mail to send on both ports or

You can log new outbound connections like this 

iptables -A OUTPUT -p tcp -m multiport --dports 25,587 -m state --state NEW -j LOG --log-uid --log-prefix  "LOCAL_DROPPED_SPAM "

and you get a message like this

Nov 11 12:52:26 hostname kernel: LOCAL_DROPPED_SPAM IN= OUT=eth0 SRC=192.168.254.181 DST=192.168.254.187 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=53476 DF PROTO=TCP SPT=49893 DPT=25 WINDOW=14600 RES=0x00 SYN URGP=0 UID=1000 GID=1000

iptables -A OUTPUT -p tcp -m multiport --dports 25,587 -j DROP

to finally drop all outbound connections on both ports.

Remember that iptables actions rules in the order they are in the table and first match wins so

  • Place your ALLOW rules first
  • Follow this with the LOG rules
  • Then DROP

Related

Virtualbox, slow upload speed using nat [closed]
Is there a way to see which groups/users have access to an RSA key container?
User account being frequently locked out
Can I use wildcards is puppet package ensure to cover multiple releaseversion
INNODB mysql. Plugin disabled [duplicate]
Why does storage's performance change at various queue depths?
Check if puppet agent is up to date
what harm can writeback caching have on a degraded disk array?
What are the differences between availability zones for Amazon EC2 in US east?
Permissions are a mess- advice for cleanup?
Enable Sound for RDP in Windows Server 2012
Old HP thin clients cannot connect to Windows 2008 R2 RDS server