On Wed, Mar 20, 2002 at 06:57:29PM +0800, Joon Guillen wrote: > > Thanks for the rules. BTW, is the -y flag equivalent to the > --syn flag on iptables? Sorry I forgot :P
Hi Joon, If you'll be using iptables, don't rely on the SYN flag. Use iptables' stateful inspection instead. For outbound SMTP for example: iptables -A INPUT -i $IFACE -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT > > # SMTP client (25) > > # ---------------- > > > > ipchains -A input -i $INTERNAL_INTERFACE -p tcp ! -y \ > > -s $SMTP_SERVER 25 \ > > -d $INTERNAL_IPADDR $UNPRIVPORTS -j ACCEPT > > > > ipchains -A output -i $INTERNAL_INTERFACE -p tcp \ > > -s $INTERNAL_IPADDR $UNPRIVPORTS \ > > -d $SMTP_SERVER 25 -j ACCEPT > > > > Note: > > $UNPRIVPORTS="1024:65535" -- .--. Michael J. Maravillo office://+63.2.750.1800/ ( () ) Q Linux Solutions, Inc. mobile://+63.917.897.0919/ `--\\ A Philippine Open Source Solutions Co. http://www.q-linux.com/ _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
