| Author |
Message |
Llanzlan Klazmon
*nix forums Guru Wannabe
Joined: 11 Apr 2005
Posts: 159
|
 Posted: Thu Jul 20, 2006 12:22 am Post subject:
Re: Basic IP Tables issue
|
|
|
"spec" <frank@frankritchie.com> wrote in
news:1153351274.688340.70920@i42g2000cwa.googlegroups.com:
| Quote: | exactly, I should have mentioned that I am totally new to IPTables and
trying to edit an existing script.
What syntax can be used to specify that only certain source addresses
are allowed to be sent to the email server?
|
Ok. You would replace the current line in your script for the FORWARD
chain with something like:
$IPTABLES -A FORWARD -s a1.a2.a3.a4 -d $MAIL_EXT_IP -j ACCEPT
$IPTABLES -A FORWARD -s b1.b2.b3.b4 -d $MAIL_EXT_IP -j ACCEPT
$IPTABLES -A FORWARD -s 0/0 -d $MAIL_EXT_IP -j DROP
You don't need the third line if DROP is the default policy of your
forward chain. This will allow any IP from the two source addresses a1....
b1... Of course you can define variables for the two allowed source
addresses like you did for the email server external address etc. You can
be still more specific if you want to go down to protocol and port.
For example:
$IPTABLES -A FORWARD -s $ALLOWED_IP1 -p TCP --destination-port 25 -d
$MAIL_EXT_IP -j ACCEPT
Here's a good tutorial:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html
Also these:
http://www.netfilter.org/documentation/index.html#documentation-howto
Klazmon.
| Quote: |
Thanks
Frank
Llanzlan Klazmon wrote:
"spec" <frank@frankritchie.com> wrote in news:1153324667.626248.166340
@s13g2000cwa.googlegroups.com:
Right now there is a firewall in place for a mail server as follows:
## mail.foo.com ##
MAIL_EXT_IP="x.x.x.x"
MAIL_INT_IP="y.y.y.y"
$IPTABLES -A FORWARD -i $OUTSIDE -d $MAIL_EXT_IP -j ACCEPT
## Mail traffic will be forwarded to the mail server ##
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 22 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 25 -j DNAT --to-destination $MAIL_INT_IP
#$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 80 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 110 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 993 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 995 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p all -i $OUTSIDE -d $MAIL_EXT_IP -j
DROP
Would it be possible to modify this so that port 25 is only open for
2 incoming IP addresses
rather than forwarding all port 25 traffic?
One way would be to make your forward chain more specific. At present
your forward chain allows anything at all from the outside interface to
go to for email server.
Klazmon.
Thanks
Frank
|
|
|
| Back to top |
|
 |
spec
*nix forums beginner
Joined: 19 Jun 2006
Posts: 8
|
| Posted: Wed Jul 19, 2006 11:21 pm Post subject:
Re: Basic IP Tables issue
|
|
|
exactly, I should have mentioned that I am totally new to IPTables and
trying to edit an existing script.
What syntax can be used to specify that only certain source addresses
are allowed to be sent to the email server?
Thanks
Frank
Llanzlan Klazmon wrote:
| Quote: | "spec" <frank@frankritchie.com> wrote in news:1153324667.626248.166340
@s13g2000cwa.googlegroups.com:
Right now there is a firewall in place for a mail server as follows:
## mail.foo.com ##
MAIL_EXT_IP="x.x.x.x"
MAIL_INT_IP="y.y.y.y"
$IPTABLES -A FORWARD -i $OUTSIDE -d $MAIL_EXT_IP -j ACCEPT
## Mail traffic will be forwarded to the mail server ##
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 22 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 25 -j DNAT --to-destination $MAIL_INT_IP
#$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 80 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 110 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 993 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 995 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p all -i $OUTSIDE -d $MAIL_EXT_IP -j
DROP
Would it be possible to modify this so that port 25 is only open for 2
incoming IP addresses
rather than forwarding all port 25 traffic?
One way would be to make your forward chain more specific. At present your
forward chain allows anything at all from the outside interface to go to
for email server.
Klazmon.
Thanks
Frank
|
|
|
| Back to top |
|
|
Llanzlan Klazmon
*nix forums Guru Wannabe
Joined: 11 Apr 2005
Posts: 159
|
| Posted: Wed Jul 19, 2006 11:12 pm Post subject:
Re: Basic IP Tables issue
|
|
|
"spec" <frank@frankritchie.com> wrote in news:1153324667.626248.166340
@s13g2000cwa.googlegroups.com:
| Quote: | Right now there is a firewall in place for a mail server as follows:
## mail.foo.com ##
MAIL_EXT_IP="x.x.x.x"
MAIL_INT_IP="y.y.y.y"
$IPTABLES -A FORWARD -i $OUTSIDE -d $MAIL_EXT_IP -j ACCEPT
## Mail traffic will be forwarded to the mail server ##
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 22 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 25 -j DNAT --to-destination $MAIL_INT_IP
#$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 80 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 110 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 993 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 995 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p all -i $OUTSIDE -d $MAIL_EXT_IP -j
DROP
Would it be possible to modify this so that port 25 is only open for 2
incoming IP addresses
rather than forwarding all port 25 traffic?
|
One way would be to make your forward chain more specific. At present your
forward chain allows anything at all from the outside interface to go to
for email server.
Klazmon.
|
|
| Back to top |
|
|
spec
*nix forums beginner
Joined: 19 Jun 2006
Posts: 8
|
| Posted: Wed Jul 19, 2006 3:57 pm Post subject:
Basic IP Tables issue
|
|
|
Right now there is a firewall in place for a mail server as follows:
## mail.foo.com ##
MAIL_EXT_IP="x.x.x.x"
MAIL_INT_IP="y.y.y.y"
$IPTABLES -A FORWARD -i $OUTSIDE -d $MAIL_EXT_IP -j ACCEPT
## Mail traffic will be forwarded to the mail server ##
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 22 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 25 -j DNAT --to-destination $MAIL_INT_IP
#$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 80 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 110 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 993 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p tcp -i $OUTSIDE -d $MAIL_EXT_IP
--dport 995 -j DNAT --to-destination $MAIL_INT_IP
$IPTABLES -t nat -A PREROUTING -p all -i $OUTSIDE -d $MAIL_EXT_IP -j
DROP
Would it be possible to modify this so that port 25 is only open for 2
incoming IP addresses
rather than forwarding all port 25 traffic?
Thanks
Frank |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
networking
