Re: bob's and Kahli's suggestions...
Bob's suggestion was good, make the firewall and mail server separate.
so your iptables rules would look like:
(by the way, Kahli, it isn't necessary to specify ethernet interfaces. I do
all my firewalling with a few vpn and anti-spoof exceptions based upon IP
only. This allows for simpler rulesets and more layering of the rules,
rather than have rules attached to specific hardware devices)
assuming you are NATting:
iptables -t nat -A POSTROUTING -s $internalIP -j SNAT --to-source
$externalIP
route external traffic to your public ip: $externalIP to a private IP
mailserver
iptables -t nat -A PREROUTING -d $externalIP -p tcp --dport 25 -j DNAT \
--to-destination $mailhost
Here is an internal webserver, however for whatever reason this mailserver
is using port 8000 (ie perhaps a proxy or webcache or whatever)
iptables -t nat -A PREROUTING -d $externalIP -p tcp --dport 80 -j DNAT \
--to-destination $www:8000
check out some notes for a euglug speech I did last year:
http://www.euglug.org/minutes.phtml?id=28
There are simple sample scripts and examples that will help you do
everything you would want to do while learning iptables.
Cory
-----Original Message-----
From: Kahli R. Burke [mailto:[EMAIL PROTECTED]]
Sent: Thursday, February 21, 2002 2:13 PM
To: [EMAIL PROTECTED]
Subject: [EUG-LUG:1708] Re: Firewall Configuration
[EMAIL PROTECTED] wrote:
>I am going to be running a mail server. I want to set it up with 2 network
cards. One will be inside of my firewall and I will need to allow access to
ports 22, 25, 110, and 389. On the card outside on the firewall I only want
to allow access to port 25. Is this possible?
>
It's pretty easy to do this with iptables in Linux. So if you have eth0
as your public interface and eth1 as your private interface, you would
set up rules like:
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT (and more
lines for ports 25, 110, and 389)
So in this case you would be running the packet filter on the mail
box, in addition to anything on another firewall box. You'd have to let
port 25 through any existing firewall as well.
Are you that concerned about internal traffic that you need to
filter it as well? An easier way would be to have a single card in the
mail server with a public ip, then let the firewall allow traffic on
that port destined for that address. In iptables form:
iptables -A FORWARD -i <public interface> -o <private interface> -p
tcp -d <ip address of mail server> --dport 22 -j ACCEPT
I'm guessing you have one subnet behind the firewall, in this case
the traffic from internal machines wouldn't get routed anywhere so the
firewall wouldn't be able to filter it. You could shut down any
services you didn't want the mail server to provide. This seems like
the simpler way to me, and it only requires one NIC. Even if you did
want to filter the internal traffic you could still do it with one NIC
by running iptables on the mail box and filtering based on groups of
source addresses. I guess the question is really, how sophisticated do
you want to get with it?
Kahli
