[EMAIL PROTECTED] wrote:
>I am going to be running a mail server. I want to set it up with 2 network cards. One
>will be inside of my firewall and I will need to allow access to ports 22, 25, 110,
>and 389. On the card outside on the firewall I only want to allow access to port 25.
>Is this possible?
>
It's pretty easy to do this with iptables in Linux. So if you have eth0
as your public interface and eth1 as your private interface, you would
set up rules like:
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT (and more
lines for ports 25, 110, and 389)
So in this case you would be running the packet filter on the mail
box, in addition to anything on another firewall box. You'd have to let
port 25 through any existing firewall as well.
Are you that concerned about internal traffic that you need to
filter it as well? An easier way would be to have a single card in the
mail server with a public ip, then let the firewall allow traffic on
that port destined for that address. In iptables form:
iptables -A FORWARD -i <public interface> -o <private interface> -p
tcp -d <ip address of mail server> --dport 22 -j ACCEPT
I'm guessing you have one subnet behind the firewall, in this case
the traffic from internal machines wouldn't get routed anywhere so the
firewall wouldn't be able to filter it. You could shut down any
services you didn't want the mail server to provide. This seems like
the simpler way to me, and it only requires one NIC. Even if you did
want to filter the internal traffic you could still do it with one NIC
by running iptables on the mail box and filtering based on groups of
source addresses. I guess the question is really, how sophisticated do
you want to get with it?
Kahli
