OpenVPN блокирует SMTP-сервер доступа полностью

Я пробовал почти все правила iptables для блокировки smtp на сервере openvpn, но клиенты клиентов могут получить доступ к удаленным smtp-серверам на 25-м порту.

Я использую сервер доступа openvpn. Он создает два интерфейса as0t0 и as0t1.

Все пользователи назначили ips из 172.16.0.0/12.

Пожалуйста, помогите мне, какие правила могут быть написаны для решения этой проблемы.

Правила Iptables, установленные сервером доступа openvpn:

#Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016 *nat :PREROUTING ACCEPT [566:72410] :POSTROUTING ACCEPT [36:2340] :OUTPUT ACCEPT [36:2340] :AS0_NAT - [0:0] :AS0_NAT_POST_REL_EST - [0:0] :AS0_NAT_PRE - [0:0] :AS0_NAT_PRE_REL_EST - [0:0] :AS0_NAT_TEST - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE -A AS0_NAT -o eth0 -j SNAT --to-source 91.13.18.170 -A AS0_NAT -j ACCEPT -A AS0_NAT_POST_REL_EST -j ACCEPT -A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST -A AS0_NAT_PRE -j AS0_NAT -A AS0_NAT_PRE_REL_EST -j ACCEPT -A AS0_NAT_TEST -o as0t+ -j ACCEPT -A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT -A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT -A AS0_NAT_TEST -j AS0_NAT COMMIT # Completed on Sun Apr 10 13:03:56 2016 # Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016 *mangle :PREROUTING ACCEPT [146:10130] :INPUT ACCEPT [6422:1226373] :FORWARD ACCEPT [8289:2947415] :OUTPUT ACCEPT [5446:2764996] :POSTROUTING ACCEPT [13735:5712411] :AS0_MANGLE_PRE_REL_EST - [0:0] :AS0_MANGLE_TUN - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN -A AS0_MANGLE_PRE_REL_EST -j ACCEPT -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff -A AS0_MANGLE_TUN -j ACCEPT COMMIT # Completed on Sun Apr 10 13:03:56 2016 # Generated by iptables-save v1.4.7 on Sun Apr 10 13:03:56 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3970:2307554] :AS0_ACCEPT - [0:0] :AS0_IN - [0:0] :AS0_IN_NAT - [0:0] :AS0_IN_POST - [0:0] :AS0_IN_PRE - [0:0] :AS0_IN_ROUTE - [0:0] :AS0_OUT - [0:0] :AS0_OUT_LOCAL - [0:0] :AS0_OUT_POST - [0:0] :AS0_OUT_S2C - [0:0] :AS0_WEBACCEPT - [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT -A INPUT -i lo -j AS0_ACCEPT -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE -A INPUT -d 91.13.18.170/32 -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT -A INPUT -d 91.13.18.170/32 -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT -A INPUT -d 91.13.18.170/32 -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j DROP -A INPUT -p udp -m udp --dport 25 -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -i eth0 -p tcp -m tcp --dport 25 -j DROP -A INPUT -i as0t0 -p tcp -m tcp --dport 25 -j DROP -A INPUT -i as0t1 -p tcp -m tcp --dport 25 -j DROP -A INPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE -A FORWARD -o as0t+ -j AS0_OUT_S2C -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -i eth0 -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i as0t0 -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i as0t1 -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i lo -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i as0t+ -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i as0t0 -p tcp -m tcp --dport 25 -j DROP -A FORWARD -i as0t1 -p tcp -m tcp --dport 25 -j DROP -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL -A OUTPUT -p tcp -m tcp --dport 25 -j DROP -A OUTPUT -p tcp -m tcp --dport 25 -j DROP -A AS0_ACCEPT -j ACCEPT -A AS0_IN -d 172.27.224.1/32 -j ACCEPT -A AS0_IN -j AS0_IN_POST -A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000 -A AS0_IN_NAT -j ACCEPT -A AS0_IN_POST -o as0t+ -j AS0_OUT -A AS0_IN_POST -j DROP -A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN -A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN -A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN -A AS0_IN_PRE -j ACCEPT -A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000 -A AS0_IN_ROUTE -j ACCEPT -A AS0_OUT -j AS0_OUT_POST -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP -A AS0_OUT_LOCAL -j ACCEPT -A AS0_OUT_POST -j DROP -A AS0_OUT_S2C -j AS0_OUT -A AS0_WEBACCEPT -j ACCEPT COMMIT # Completed on Sun Apr 10 13:03:56 2016 

Linux и Unix - лучшая ОС в мире.