[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sheflug] Re: Iptables



>>>>> "Baz" == Barrie Bremner <baz [at] barriebremner.com> writes:

    Baz> Try:

    Baz> # SMTP
    Baz> iptables -A FORWARD -i eth0 -o ppp0 -p tcp \
    Baz>          -s 192.168.1.1/24 -d mail.mailserver.co.uk \
    Baz>          --dport 25 -m state --state NEW,RELATED,ESTABLISHED \
    Baz>          -j ACCEPT

    Baz> # POP3

    Baz> iptables -A FORWARD -i eth0 -o ppp0 -p tcp \
    Baz>          -s 192.168.1.1/24 -d mail.mailserver.co.uk \
    Baz>         --dport 110 -m state --state NEW,RELATED,ESTABLISHED \
    Baz>          -j ACCEPT

It's just occurred to me:

Watch out for allowing new connections (--state NEW or --syn) if you
haven't specified both in- and out- interfaces.
Might be worth checking with nmap and/or telnet $pop_num.

Do have a suitable policy or other rules further up the chain to block
new connections from -i ppp0 or -s 0.0.0.0/0 ?

Baz.

-- 
Barrie J. Bremner		OpenPGP public key ID: F78CEE08
baz [at] barriebremner.com	http://barriebremner.com/


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.