[Cialug] IPTables Concept
Chris K.
lister at kulish.com
Tue Oct 31 19:38:45 CST 2006
Something like this for the smtp access?
/sbin/iptables -A OUTPUT -o $OURIF -p tcp -s $OURIP --dport 25 -d
$OURSMTP -j ACCEPT
/sbin/iptables -A INPUT -i $OURIF -p tcp -d $OURIP -m state --state
ESTABLISHED -s $OURSMTP -j ACCEPT
Thanks much! (and Ive trimmed the email down a bit)
Dave Weis wrote:
Second line should be unnecessary with the state matching done. As
written the SMTP server could send you unwanted traffic if it's taken
over by setting the source port outbound to be 25.
>
> You are open to traffic from your DNS server and SSH server that you
> don't expect:
>
>> # Access to internal DNS server and allow responses
>> /sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d
>> $OURDNS1 -j ACCEPT
>> /sbin/iptables -A INPUT -i $OURIF -p udp -d $OURIP --sport 53 -s
>> $OURDNS1 -j ACCEPT
>> /sbin/iptables -A OUTPUT -o $OURIF -p udp -s $OURIP --dport 53 -d
>> $OURDNS2 -j ACCEPT
>> /sbin/iptables -A INPUT -i $OURIF -p udp -d $OURIP --sport 53 -s
>> $OURDNS2 -j ACCEPT
More information about the Cialug
mailing list