Well, the rules were not perfect Dave, but could help to solve the problem.
The both rules isn't needed ... I disagree a bit, when you have 3 networks (WAN, DMZ, LAN), you need the input to redirect from WAN into the server and the forward to allow from LAN to DMZ. The case in NATED WAN (I'm more explicit because you need it).
And me, as you, need more info to send a particular solution to the problem.
Best regards,
Dave Ewart escribi�:
On Wednesday, 18.05.2005 at 14:14 +0200, Samuel D�az Garc�a wrote:
1) I wrote in the first line: "... somethiing as this ...". 2) Me, as you, have the same info about the system in question. 3) I wrote something that can help to solve the problem.
... but that also raises inconsistencies. i.e. you can't use *both* and INPUT and a FORWARD rule - depending on the location of the mail server, one needs to use *one* of those rules.
4) If you have the knowledge and the time, put all the posible cases and put an answer that can cover all posible cases.
Well, it's hard to answer properly when there is insufficient information: I'm not sure your suggestion would work at all, regardless of the original poster's setup.
Continued in your response:
Dave Ewart writes:
On Wednesday, 18.05.2005 at 11:37 +0200, Samuel D�az Garc�a wrote:
You need something as this in your linux router/firewall box:
#!/bin/sh ip_mail_srv=a.b.c.d
iptables -t filter -A INPUT -d $ip_mail_srv -p tcp --dport 25 --syn -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 25 --syn -j DROP
That doesn't look right. If the mail server is NOT the same system as the firewall, then nothing will pass on the INPUT chain to the firewall destined for the mail server.
Do you know where is the smtp server? I don't, I only put 2 options.
OK, fair enough, although it's not clear that these were actually options ...
#the same in FORWARD chain:
iptables -t filter -A FORWARD -d $ip_mail_srv -p tcp --dport 25 --syn -j ACCEPT iptables -t filter -A FORWARD -p tcp --dport 25 --syn -j DROP
The first of the above two rules will work partly, but won't allow any SMTP traffic *from* the mail server back out ...
Well, 2 solutions (or more): 1) delete "--syn" 2) use the tipical "RELATED, ESTABLISHED" rule about. 3) Propose you some solution more.
I'll happily supply a solution if the original poster provides more information.
Dave.
-- Samuel D�az Garc�a Director Gerente ArcosCom Wireless, S.L.L.
CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz
http://www.arcoscom.com
mailto:[EMAIL PROTECTED] msn: [EMAIL PROTECTED]
M�vil: 651 93 72 48 Tlfn.: 956 70 13 15 Fax: 956 70 34 83
begin:vcard fn;quoted-printable:Samuel D=C3=ADaz Garc=C3=ADa n;quoted-printable:D=C3=ADaz Garc=C3=ADa;Samuel org:ArcosCom Wireless, S.L.L.;I+D+I adr;quoted-printable;quoted-printable:;;c/ Romero Gago, 19;Arcos de la Frontera;C=C3=A1diz;11630;Espa=C3=B1a email;internet:[EMAIL PROTECTED] title:Director Gerente tel;work:956 70 13 15 tel;fax:956 70 34 83 tel;cell:651 937 248 x-mozilla-html:FALSE url:http://www.arcoscom.com version:2.1 end:vcard
