On Wed, May 17, at 07:36:20PM, Volker Kuhlmann wrote:
> One could periodically check up on the IPs automatically... so far
> I've seen nothing that can do that though.
a cron job can run the 'host' and 'iptables' commands in a script
such as rc.local.
This script is an example only. Iptables will have to flushed/
restarted to accept old dropped addresses if the smtp relay
keeps changing all the time.
---- rc.local-smtp -------
#!/bin/sh
# Restart iptables if the smtp relay address keeps changing.
# Every distro has a diiferent way of doing this. Can be run
# as a cron job or done manually instead.
# /etc/rc.d/rc.firewall restart
# variable for some smtp relay servers address. Edit the hostname.
SMTPADDRESS=`host smtp.some-isp.co.nz | awk -F " " '{print $4}'`
# allow smtp access to that server only.
iptables -A OUTPUT -p tcp -d $SMTPADDRESS --dport 25 -o ppp0 -j ACCEPT
iptables -A OUTPUT -p tcp -d ! $SMTPADDRESS --dport 25 -o ppp0 -j DROP
# initialise a temp file with a localhost address
# first time the script is run.
if [ ! -f "/tmp/smtpaddress.txt" ]; then
touch /tmp/smtpaddress.txt
echo "127.0.0.9" > /tmp/smtpaddress.txt
echo "smtpaddress.txt created"
break;
# update the temp file and drop the previous smtp relay address.
else
if [ -f "/tmp/smtpaddress.txt" ] && [ `cat /tmp/smtpaddress.txt` !=
$SMTPADDRESS ]; then
PREVSMTP=`cat /tmp/smtpaddress.txt`
iptables -A OUTPUT -p tcp -d $PREVSMTP --dport 25 -o ppp0 -j DROP
echo "$PREVSMTP denied"
echo $SMTPADDRESS > /tmp/smtpaddress.txt
echo "smtpaddress.txt updated"
fi
fi
----------
