Koozali.org formerly Contribs.org

Reject all incoming traffic except SMTP on WAN interface?

Offline MSmith

  • *
  • 675
Reject all incoming traffic except SMTP on WAN interface?
« on: November 26, 2019, 12:06:56 AM »
9.2, fully patched, is router/gateway/firewall/email server but isn't providing any services to the outside except incoming email via SMTP, restricted to a specific IP range. It's getting hammered with incoming connections that just leave the poor thing hanging with a zillion SYN_RECV transactions pending. I've been playing whackamole with iptables and trying to get Fail2Ban to do something useful, but I'd rather just close the door.

Any way I can disable all incoming TCP requests on the WAN interface? Without killing server manager and Roundcube on the LAN interface?
...

Offline mmccarn

  • *
  • 2,525
Re: Reject all incoming traffic except SMTP on WAN interface?
« Reply #1 on: November 26, 2019, 04:40:04 AM »

You may get what you want by setting the non-public services to access=private

Code: [Select]
for svc in oidentd 'httpd-e-smith' 'ssmtpd' ftp imap imaps modSSL pop3s sshd; do
# show current status for posterity
printf "$svc was:\t$(config getprop $svc access)\n"
config setprop $svc access private
done
signal-event post-upgrade; signal-event reboot

Offline MSmith

  • *
  • 675
Re: Reject all incoming traffic except SMTP on WAN interface?
« Reply #2 on: November 26, 2019, 02:40:36 PM »
You may get what you want by setting the non-public services to access=private

Thanks very much, that was helpful. I only set httpd-e-smith to private for now. That killed Roundcube but it's a small price to free up the load on the machine until a permanent solution is found. (EDIT: Server Manager still accessible.)
...

Offline Jean-Philippe Pialasse

  • *
  • 1,490
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Reject all incoming traffic except SMTP on WAN interface?
« Reply #3 on: November 26, 2019, 09:48:40 PM »
geoip filtering ?

Offline ReetP

  • *
  • 2,557
Re: Reject all incoming traffic except SMTP on WAN interface?
« Reply #4 on: November 26, 2019, 11:10:16 PM »
GeoIP is defintely worth looking at.

Consider https://wiki.contribs.org/Xt_geoip

There are some ways to check your logs to ascertain which countries are hammering you.

It will be the usual culprits so just bin them. Life will become much quieter :-)

My only wish is that I could dump the US :-( It is now my biggest source of junk, but manageable.....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation