[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Re: Iptables
>>>>> "Baz" == Barrie Bremner <baz [at] barriebremner.com> writes:
Baz> Try:
Baz> # SMTP
Baz> iptables -A FORWARD -i eth0 -o ppp0 -p tcp \
Baz> -s 192.168.1.1/24 -d mail.mailserver.co.uk \
Baz> --dport 25 -m state --state NEW,RELATED,ESTABLISHED \
Baz> -j ACCEPT
Baz> # POP3
Baz> iptables -A FORWARD -i eth0 -o ppp0 -p tcp \
Baz> -s 192.168.1.1/24 -d mail.mailserver.co.uk \
Baz> --dport 110 -m state --state NEW,RELATED,ESTABLISHED \
Baz> -j ACCEPT
It's just occurred to me:
Watch out for allowing new connections (--state NEW or --syn) if you
haven't specified both in- and out- interfaces.
Might be worth checking with nmap and/or telnet $pop_num.
Do have a suitable policy or other rules further up the chain to block
new connections from -i ppp0 or -s 0.0.0.0/0 ?
Baz.
--
Barrie J. Bremner OpenPGP public key ID: F78CEE08
baz [at] barriebremner.com http://barriebremner.com/
___________________________________________________________________
Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html
GNU the choice of a complete generation.