2

I would like to know how to block an IP to use smtp service on a server with centos 7 firewall . I try to use something like this :

   firewall-cmd --permanent --zone="public" --add-rich-rule='rule family=ipv4 source address=[ipadress] --remove-service=smtp'

but is not the right syntax

Or should I block the TCP ports 25, 465 and 587?

also if anyone could tell me how to automatically do this getting de ip from a file (if possible) would be great

user
  • 4,335
  • 4
  • 34
  • 71
Mik
  • 83
  • 1
  • 1
  • 6
  • I really don't understand your question. You are trying to block a remote IP address from using your mail-server? I don't know much about ``firewall-cmd``, but I would suggest using ``iptables`` for this purpose if this is what you need. – philippe May 16 '15 at 19:33

1 Answers1

1

The correct syntax, as described in the firewalld.richlanguage(5) manpage, is:

# firewall-cmd --zone="FedoraWorkstation" \
  --add-rich-rule='rule family=ipv4 source address=1.2.3.4 service name=smtp reject'
success

# iptables-save | grep 1.2.3.4
-A IN_FedoraWorkstation_deny -s 1.2.3.4/32 -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable

Note that this applies to incoming traffic to port 25/tcp, as described in the service file /usr/lib/firewalld/services/smtp.xml:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mail (SMTP)</short>
  <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
  <port protocol="tcp" port="25"/>
</service>
dawud
  • 15,096
  • 3
  • 42
  • 61