Thanks, Jake, but that's not what I am really looking to do. The machine is behind a firewall and there is no way to reach it from the outside at all. I just wanted to shut off POP, IMAP and all of the other services that are not needed to relay mail.
Quite literally I need no other ports besides 22, 25 and 80 (I use the web interface to trigger some of the mailings) and I am good with iptables, but I was thinking more along the lines of literally turning off a bunch of the services. Perhaps removing the RPMs for squirrelmail, clamav, spamassassin, etc. if I could figure out which ones to actually remove. W Jake Vickers wrote: > Warren wrote: > >> I just converted my outgoing mail server from sendmail to >> qmail-toaster. Love those centos scripts :) >> >> As I am only using this server for my outgoing mail, it is essentially >> an open relay but with no way to get to port 25 except from my local >> network, I was wondering how I can properly shut down all of the >> unneeded services such as squirrelmail, the admin interface, etc. I am >> just using the box as an outgoing mail relay so that my incoming box >> does not get bogged down with the roughly half-million outgoing emails >> we process every week. >> >> > > Here's a firewall script that I use on a couple machine. Has separate > incoming/outgoing port rules, and everything else is denied. Just > comment out the ports you don't want open (either for incoming and/or > outgoing). Nick also has a firewall script on his site, if you read > his install. > # import this saved configuration into your iptables configuration > with the following command: > # iptables-restore < web_server.config > > *nat > :PREROUTING ACCEPT [127173:7033011] > :POSTROUTING ACCEPT [31583:2332178] > :OUTPUT ACCEPT [32021:2375633] > COMMIT > > *mangle > :PREROUTING ACCEPT [444:43563] > :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [402:144198] > :POSTROUTING ACCEPT [402:144198] > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG > FIN,PSH,URG -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE > -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP > COMMIT > > *filter > :INPUT DROP [1:242] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > :icmp_packets - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT > #-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 43 -j ACCEPT > -A INPUT -p udp -m udp --dport 53 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT > #-A INPUT -p udp -m udp --dport 123 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT > #-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 8822 -j ACCEPT > #-A INPUT -p tcp -m tcp --dport 9283 -j ACCEPT > #-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 10001 -j ACCEPT > #-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT > #-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT > -A INPUT -s 127.0.0.1 -j ACCEPT > -A INPUT -p icmp -j icmp_packets > -A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7 > > > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT > -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT > -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT > #-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 8822 -j ACCEPT > #-A OUTPUT -p tcp -m tcp --dport 9283 -j ACCEPT > #-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 10000 -j ACCEPT > -A OUTPUT -p tcp -m tcp --dport 10001 -j ACCEPT > #-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT > #-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT > #-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT > -A OUTPUT -d 127.0.0.1 -j ACCEPT > -A OUTPUT -p icmp -j icmp_packets > -A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7 > > > -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT > -A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT > -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP > -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT > COMMIT > > > --------------------------------------------------------------------- > QmailToaster hosted by: VR Hosted <http://www.vr.org> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
