Can someone help me with this issue? I'm trying to block all outgoing
traffic over port 25, except from my company's Exchange server.
Unfortunately everything I try either does nothing or blocks port 25
for everything, including the Exchange server.

The internal interface is eth0, eth1 is external.

INTERNALNET1=172.16.0.0/12
INTERNALNET2=172.17.0.0/12
INTERNALNET3=10.2.0.0/16
INTERNALNET4=10.3.0.0/16

REMOTENET is defined as 0/0

-------------

Here is the code that I'm trying to run...

BLOCKSMTP=YES
EXCHHOST=172.16.25.20

Attempt #1
----------
# Block SMTP for all but Exchange Server
if [ "$BLOCKSMTP" = "YES" ]; then
echo "Blocking SMTP for all devices except the Exchange server..."
$IPCHAINS -A output -p tcp -s ! $EXCHHOST -d $REMOTENET 25 -l -i
eth1 -j DENY
fi

Attempt #2
----------
# Block SMTP for all but Exchange Server
if [ "$BLOCKSMTP" = "YES" ]; then
echo "Blocking SMTP for all devices except the Exchange server..."
$IPCHAINS -A output -p tcp -s $INTERNALNET1 -d $REMOTENET 25 -l -i
eth1 -j DENY
$IPCHAINS -A output -p tcp -s $INTERNALNET2 -d $REMOTENET 25 -l -i
eth1 -j DENY
$IPCHAINS -A output -p tcp -s $INTERNALNET3 -d $REMOTENET 25 -l -i
eth1 -j DENY
$IPCHAINS -A output -p tcp -s $INTERNALNET4 -d $REMOTENET 25 -l -i
eth1 -j DENY
$IPCHAINS -A output -p tcp -s $EXCHHOST -d $REMOTENET 25 -l -i eth1 -
j ACCEPT
fi

Attempt #3
----------
# Block SMTP for all but Exchange Server
if [ "$BLOCKSMTP" = "YES" ]; then
echo "Blocking SMTP for all devices except the Exchange server..."
$IPCHAINS -A output -p tcp -d $REMOTENET 25 -l -j DENY
$IPCHAINS -A output -p tcp -s $EXCHHOST -d $REMOTENET 25 -l -j
ACCEPT
fi

I have tried all of the above options with and without the "-i eth1"
with no luck. I have also removed variables and replace them with
actual networks and IPs.

Attempt 1 (with or without "-i eth1") all machines are blocked from
port 25 outgoing, including the Exchange server.

Attempt 2 (with or without "-i eth1") nothing is blocked. I even
tried removing the last line of it "$IPCHAINS -A output -p tcp -s
$EXCHHOST -d $REMOTENET 25 -l -j ACCEPT" and still it allows me to
connect over port 25 to external hosts on any machine in the building.

Attempt 3 (with or without "-i eth1") all machines are blocked from
port 25 outgoing, including the Exchange server.

Any help would be greatly appreciated.

- Chris