Re: [leaf-user] IP Tables question

Ray Olszewski Tue, 26 Nov 2002 12:54:16 -0800

I believe that to do what you want, you just need to add a -d parameter to the first rule and an -s parameter to the second rule. That is (using your rules as the starting point):

# Allow SMTP outbound from only one host on the internal network.
iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp -d 192.168.1.67 --sport 25 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ${OUTSIDE_DEVICE} -p tcp -s 192.168.1.67 --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

I am assuming that after not matching these rules, SMTP traffic to/from other internal servers will drop through to match other -j DENY rules; if not, you'll need to add them as well. Something like this (following the above pair):

# DENY all other SMTP traffic
iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp --sport 25 -m state --state ESTABLISHED -j DENY
iptables -A FORWARD -o ${OUTSIDE_DEVICE} -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j DENY

You can almost surely omit the "state" parameters in this second pair.

As always, I feel obliged to remind you that rules in isolation are unclear in their effect; these rules will work only if they are not preceded in the FORWARD table by any other rules that prevent the relevant traffic from reaching them. (And that's the reason for the "almost surely" comment with the second pair as well.)

At 02:02 PM 11/26/02 -0600, Troy Aden wrote:

Hi there I have a quick IP Tables question.

I have an SMTP server behind my firewall and I would like to deny all
outbound SMTP traffic "except" if it originates from my internal SMTP
server.
The current rule allows SMTP traffic outbound from any IP on the internal
network. (See below for the current rule.) Lets say that my internal SMTP
server is at IP: 192.168.1.67. What should the rules looks like? Can someone
help me out? I have gotten so used to working with Shorewall I can't
remember the proper syntax for a raw IP tables rule. :)


Currently I have these rules:
## SMTP
# Allow SMTP outbound from internal network.
iptables -A FORWARD -i ${OUTSIDE_DEVICE} -p tcp --sport 25 -m state --state
ESTABLISHED -j ACCEPT
iptables -A FORWARD -o ${OUTSIDE_DEVICE} -p tcp --dport 25 -m state --state
NEW,ESTABLISHED -j ACCEPT

I need rules that allow SMTP outbound from 192.168.1.67 ONLY. (I would want
it to drop all SMTP traffic that is not originating from the SMTP server.)

--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] IP Tables question

Reply via email to