MailCleaner Firewall - SpamTagger/SpamTagger-Plus GitHub Wiki

The MailCleaner firewall dynamically generates the iptables configuration upon restart by creating the necessary default ports for the machine's local network, as well as by dumping the rules configured in the external_accesses table of the mc_config database (on the master node). You can access this table by running:

/usr/mailcleaner/bin/mc_mysql -m mc_config

from the master node.

If you change the MailCleaner server's firewall rules with iptables directly, the changes will only be temporary and will be removed on next reboot. The generation of the these rules is done by /usr/mailcleaner/bin/dump_firewall.pl.

Adding a firewall rule permanently

To have new firewall rules persist, you must add it to this table like:

INSERT INTO external_access (service,port,protocol,allowed_ip) VALUES ('SSH','22','TCP','192.168.0.1/32');

This will allow SSH access via port 22 for the IP 192.168.0.1. This is an equivalent to:

iptables -A INPUT -s 192.168.0.1/32 -p tcp -m tcp --dport 22 -j ACCEPT

This rule will get loaded upon restart the firewall:

/usr/mailcleaner/etc/init.d/firewall restart

This is how some of the setting in the administrator interface, such as access to the web interface itself, is enabled.

Realtime IP bans (Fail2Ban)

For ports that are open, MailCleaner runs Fail2Ban to automatically block abusive behavior. You can see our Fail2Ban Guide for information on how to manage this feature.