Find the answer to your Linux question:
Results 1 to 5 of 5
Hi all i have an email server that has a LAN ip address. what iptables firewall rules should i use to allow sending and receiving of emails from external domains? ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2007
    Posts
    22

    iptables


    Hi all

    i have an email server that has a LAN ip address. what iptables firewall rules should i use to allow sending and receiving of emails from external domains? I only have one server on the network that has 2 NICs, one of these NICs is connected to the public IP address that i have, the firewall rules would be set up on that server.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    You should know the ports that are required for sending and receiving mail. All you need to do is apply them to the interfaces that require access in the direction they would be used.

    Here is an IPTABLES Tutorial for you to read up on.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Oct 2012
    Posts
    18
    this is an example of a firewall i use

    Copy this code to /etc/init.d/firewall

    #!/bin/sh
    # firewall
    # chkconfig: 3 21 91
    # description: Starts, stops iptables firewall

    case "$1" in
    start)

    # Clear rules
    iptables -t filter -F
    iptables -t filter -X
    echo - Clear rules : [OK]

    # SSH In
    iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
    echo - SSH : [OK]

    # Don't break established connections
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    echo - established connections : [OK]

    # Block all connections by default
    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT DROP
    echo - Block all connections : [OK]

    # SYN-Flood Protection
    iptables -N syn-flood
    iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
    iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
    iptables -A syn-flood -j DROP
    echo - SYN-Flood Protection : [OK]

    # Loopback
    iptables -t filter -A INPUT -i lo -j ACCEPT
    iptables -t filter -A OUTPUT -o lo -j ACCEPT
    echo - Loopback : [OK]

    # ICMP (Ping)
    iptables -t filter -A INPUT -p icmp -j ACCEPT
    iptables -t filter -A OUTPUT -p icmp -j ACCEPT
    echo - PING : [OK]

    # DNS In/Out
    iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
    echo - DNS : [OK]

    # NTP Out
    iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
    echo - NTP : [OK]

    # WHOIS Out
    iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
    echo - WHOIS : [OK]

    # FTP Out
    iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
    # FTP In
    iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
    iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    echo - FTP : [OK]

    # HTTP + HTTPS Out
    iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
    # HTTP + HTTPS In
    iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
    echo - HTTP/HTTPS : [OK]

    # Mail SMTP:25
    iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
    echo - SMTP : [OK]

    # Mail POP3:110
    iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
    echo - POP : [OK]

    # Mail IMAP:143
    iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
    iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
    echo - IMAP : [OK]

    echo - Firewall [OK]
    exit 0
    ;;

    stop)
    echo "Stopping Firewall... "
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -t filter -F
    echo "Firewall Stopped!"
    exit 0
    ;;

    restart)
    /etc/init.d/firewall stop
    /etc/init.d/firewall start
    ;;

    *)
    echo "Usage: /etc/init.d/firewall {start|stop|restart}"
    exit 1
    ;;
    esac




    chmod 700 /etc/init.d/firewall



    add firewall service:
    chkconfig --add firewall

    auto start firewall:
    chkconfig --level 2345 firewall on

    start firewall:
    /etc/init.d/firewall start

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer
    Join Date
    Apr 2012
    Location
    Virginia, USA
    Posts
    917
    That long script is not necessary for RHEL or similar distros as they include iptables startup scripts by default.

    After setting your firewall rules, simply use
    service iptables save

    to make the changes permanent.

  6. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Another thing you need to decide is if you want to use STATEFUL or STATELESS firewall.


    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    The above are used only in a STATEFUL firewall.

    iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
    The above rules are STATELESS firewall rules.

    # ICMP (Ping)
    iptables -t filter -A INPUT -p icmp -j ACCEPT
    iptables -t filter -A OUTPUT -p icmp -j ACCEPT
    echo - PING : [OK]
    You might want to look into ICMP and understand it better understand how it functions. Presently you are wide open on the ICMP level. You want to look at what you don't need and block it.

    Also the '-t filter' is not needed.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •