Results 1 to 5 of 5
Hi all
i have an email server that has a LAN ip address. what iptables firewall rules should i use to allow sending and receiving of emails from external domains? ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 09-24-2012 #1Just Joined!
- Join Date
- Oct 2007
- Posts
- 22
iptables
Hi all
i have an email server that has a LAN ip address. what iptables firewall rules should i use to allow sending and receiving of emails from external domains? I only have one server on the network that has 2 NICs, one of these NICs is connected to the public IP address that i have, the firewall rules would be set up on that server.
- 09-25-2012 #2Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
You should know the ports that are required for sending and receiving mail. All you need to do is apply them to the interfaces that require access in the direction they would be used.
Here is an IPTABLES Tutorial for you to read up on.
- 10-16-2012 #3Just Joined!
- Join Date
- Oct 2012
- Posts
- 15
this is an example of a firewall i use
Copy this code to /etc/init.d/firewall
#!/bin/sh
# firewall
# chkconfig: 3 21 91
# description: Starts, stops iptables firewall
case "$1" in
start)
# Clear rules
iptables -t filter -F
iptables -t filter -X
echo - Clear rules : [OK]
# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
echo - SSH : [OK]
# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - established connections : [OK]
# Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Block all connections : [OK]
# SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP
echo - SYN-Flood Protection : [OK]
# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Loopback : [OK]
# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - PING : [OK]
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo - DNS : [OK]
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]
# WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
echo - WHOIS : [OK]
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - FTP : [OK]
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - HTTP/HTTPS : [OK]
# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo - SMTP : [OK]
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo - POP : [OK]
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo - IMAP : [OK]
echo - Firewall [OK]
exit 0
;;
stop)
echo "Stopping Firewall... "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
echo "Firewall Stopped!"
exit 0
;;
restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac
chmod 700 /etc/init.d/firewall
add firewall service:
chkconfig --add firewall
auto start firewall:
chkconfig --level 2345 firewall on
start firewall:
/etc/init.d/firewall start
- 10-16-2012 #4Linux Enthusiast
- Join Date
- Apr 2012
- Location
- Virginia, USA
- Posts
- 561
That long script is not necessary for RHEL or similar distros as they include iptables startup scripts by default.
After setting your firewall rules, simply use
service iptables save
to make the changes permanent.
- 10-17-2012 #5Linux Guru
- Join Date
- Jun 2004
- Location
- The Keystone State
- Posts
- 2,615
Another thing you need to decide is if you want to use STATEFUL or STATELESS firewall.
The above are used only in a STATEFUL firewall.iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
The above rules are STATELESS firewall rules.iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
You might want to look into ICMP and understand it better understand how it functions. Presently you are wide open on the ICMP level. You want to look at what you don't need and block it.# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - PING : [OK]
Also the '-t filter' is not needed.
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
