Iptables / CSF firewall configuration for Zimbra server

Reading Time: 7 minutes

Securing Zimbra email server should be the first priority from the start. For some reason, Zimbra recommends installing it without firewall. Doing so, might result to compromised server. Zimbra works perfectly with firewalls as long as ports required by Zimbra as well as ports required for server functionality are open.

Zimbra security hardening using iptables

Here is commented iptables /etc/sysconfig/iptables configuration file for Zimbra server. It should take care of blocking some common threads as well as making Zimbra server more secure. You can copy & edit & paste the rule set. Please remove “iptables” from each line.

The configuration does for example the following:

  • Drops all but essential traffic.
  • Allows Zimbra admin console access only from LAN and your IP.
  • Checks incoming packets and filters out invalid traffic.
  • Creates some protection against common attacks.

(Please note, paths / commands are shown as on CentOS 7. If you are using other distro, paths / commands might need to be modified. however, functionality should be the same.)

Please remember to replace MY.IP.ADDRESS (# ALLOW SSH FROM OWN IP and # ALLOW PORT ZIMBRA ADMIN PORT) with your IP(s) and remember to change SSH port number (# ALLOW SSH FROM OWN IP and # LIMIT NUMBER OF SSH CONNNECTIONS) – if you are not using the standard SSH port (which you should not be using).

CSF makes it easy to manage firewall rules, but in some cases it is reasonable to configure iptables directly. That is the case with Zimbra email server. However, you might still want use CSF. In a such situation, you need to create /etc/csf/csfpre.sh pre script to add custom iptables rules with CSF. If you use this file with CSF, please remove or #comment the first (*filter) and the last (COMMIT) line and DO NOT┬áremove “iptables” from the beginning of the each line.

*filter

# CHANGE CHAIN'S DEFAULT POLICY TO DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# ADD NEW CHAIN SSHATTACK
iptables -N SSHATTACK

# ALLOW SSH FROM OWN IP CHANGE IP !!! 
iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS1/32 --dport 22 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS1/32 --sport 22 -j ACCEPT
iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS2/32 --dport 22 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS2/32 --sport 22 -j ACCEPT

# VERIFY NEW INCOMING TCP CONNECTIONS ARE SYN PACKETS IF NOT DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# DROP PACKETS WITH INCOMING FRAGMENTS AVOID SERVER PANIC
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

# DROP AND LOG MALFORMED XMAS PACKETS
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " XMAS Packets "
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# DROP AND LOG NULL PACKETS
iptables -A INPUT -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " NULL Packets "
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# DROP AND LOG FIN PACKET SCANS
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix " Fin Packets Scan "
iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

# DROP AND LOG BROADCAST, MULTICAST AND INVALID
iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG --log-prefix " Broadcast "
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -m pkttype --pkt-type multicast -j LOG --log-prefix " Multicast "
iptables -A INPUT -m pkttype --pkt-type multicast -j DROP
iptables -A INPUT -m state --state INVALID -j LOG --log-prefix " Invalid "
iptables -A INPUT -m state --state INVALID -j DROP

#REJECT CONNECTIONS ABOVE 30 FROM ONE SOURCE IP
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j REJECT --reject-with tcp-reset

# ALLOW 150 NEW CONNECTIONS (PACKETS) PER SECOND 
iptables -A INPUT -m state --state ESTABLISHED,RELATED -m limit --limit 150/second --limit-burst 160 -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# LIMIT NUMBER OF SSH CONNNECTIONS CHANGE SSH PORT NUMBER !!!
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 120 --hitcount 4 --name DEFAULT --rsource -j SSHATTACK

# ALLOW UNLIMIT INTERFACE LO LOOPBACK CONNECTIONS
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ALLOW ICMP PING
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# ALLOW NTP TO NTP SERVER
iptables -A OUTPUT -m tcp -p tcp --dport 123 -j ACCEPT
iptables -A OUTPUT -m udp -p udp --dport 123 -j ACCEPT

# ALLOW OUTPUT DNS PORT 53
iptables -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -m udp -p udp --dport 53 -j ACCEPT

# ALLOW PORT SMTP 25
iptables -A INPUT -m tcp -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 25 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 25 -j ACCEPT

# ALLOW PORT HTTP 80
iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 80 -j ACCEPT

# ALLOW POP3 110
iptables -A INPUT -m tcp -p tcp --dport 110 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 110 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --sport 110 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 110 -j ACCEPT

# ALLOW IMAP - 143
iptables -A INPUT -m tcp -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 143 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --sport 143 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 143 -j ACCEPT

# ALLOW HTTPS - 443
iptables -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 443 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 443 -j ACCEPT

# ALLOW SMTPS 465, 587
iptables -A INPUT -m tcp -p tcp --match multiport --dports 465,587 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --match multiport --sports 465,587 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --match multiport --sports 465,587 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --match multiport --dports 465,587 -j ACCEPT

#ALLOW PORT IMAPS - 993
##############################
#iptables -A INPUT -m tcp -p tcp --dport 993 -j ACCEPT
#iptables -A OUTPUT -m tcp -p tcp --sport 993 -j ACCEPT
#iptables -A INPUT -m tcp -p tcp --sport 993 -j ACCEPT
#iptables -A OUTPUT -m tcp -p tcp --dport 993 -j ACCEPT

iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ALLOW PORT POP3S - 995
iptables -A INPUT -m tcp -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --sport 995 -j ACCEPT
iptables -A INPUT -m tcp -p tcp --sport 995 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 995 -j ACCEPT

# ALLOW PORT ZIMBRA ADMIN PORT
iptables -A INPUT -m tcp -p tcp -s 127.0.0.1 --dport 7071 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp -d 127.0.0.1 --sport 7071 -j ACCEPT
iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS1 --dport 7071 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS1 --sport 7071 -j ACCEPT
iptables -A INPUT -m tcp -p tcp -s MY.IP.ADDRESS2 --dport 7071 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp -d MY.IP.ADDRESS2 --sport 7071 -j ACCEPT

# DROP ALL OTHER SSH CONNECTION
iptables -A INPUT -m tcp -p tcp --dport 22 -j DROP

# DEFAULT REJECT RULE 
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

# DROP AND LOG SSHATTACK
iptables -A SSHATTACK -j LOG --log-prefix "SSH Attack! " --log-level 7
iptables -A SSHATTACK -j DROP

# ALLOW UDP 67 AND 68 DHCP SERVER
iptables -A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

# ALLOW UDP 67 AND 68 DHCP CLIENT
iptables -A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

# ALLOW ESTABLISHED AND RELATED CONNECTIONS INCOMING
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# ALLOW ESTABLISHED AND RELATED CONNECTIONS OUTGOING
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# ALLOW INTERNAL TO EXTERNAL NETWORK
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

COMMIT

Please note, if you are going to copy & edit & paste (not just copy & paste!) this iptables firewall configuration for Zimbra, go through each line and make sure that you will understand what it does before applying the rules. It is essential that you understand what you are doing or you can get locked out or leave serious vulnerabilities. The author takes no responsibility if you use this file as it is. Use the following command to view iptables help.

iptables -h

Please note, this is far from the perfect configuration, however it should be a good start to give more than basic protecting for newly installed Zimbra email server. You should edit / add / remove rules as per your needs. For example, it is recommended to allow only secure email protocols (SMTPS, IMPAS and POP3S). Therefore you might want disable SMTP, POP3 and IMAP ports.

See also  Add additional IP for sending emails on Zimbra server

You should also secure Zimbra server using it’s internal DDoS protection as well as limiting number of incoming/outgoing emails at account level and enforcing strong passwords, strict failed logins account lockout and 2FA.

Managed Zimbra email server

In many cases, it is more effective to outsource Zimbra server management than use countless hours on system administration tasks. Mailabler offers reasonable priced fully managed Zimbra email servers with various locations, including Switzerland, Moscow, London, USA and Finland. Managed email servers includes also security hardening. Mailabler is part of the company managed by the author.

5/5 - (1 vote)

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.