Home / server / Questions / 692507
Accepted
Mik
Asked: 2015-05-17 10:09:39 +0800 CST

Block smtp service to a IP centos 7 Firewall

  • 772

I would like to know how to block an IP to use smtp service on a server with centos 7 firewall . I try to use something like this :

   firewall-cmd --permanent --zone="public" --add-rich-rule='rule family=ipv4 source address=[ipadress] --remove-service=smtp'

but is not the right syntax

Or should I block the TCP ports 25, 465 and 587?

also if anyone could tell me how to automatically do this getting de ip from a file (if possible) would be great

iptables

1 Answers

  1. Best Answer

    The correct syntax, as described in the firewalld.richlanguage(5) manpage, is:

    # firewall-cmd --zone="FedoraWorkstation" \
  --add-rich-rule='rule family=ipv4 source address=1.2.3.4 service name=smtp reject'
success

# iptables-save | grep 1.2.3.4
-A IN_FedoraWorkstation_deny -s 1.2.3.4/32 -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable

    Note that this applies to incoming traffic to port 25/tcp, as described in the service file /usr/lib/firewalld/services/smtp.xml:

    <?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mail (SMTP)</short>
  <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
  <port protocol="tcp" port="25"/>
</service>
    • 1