IPTABLES question.
James Kosin
jkosin at beta.intcomgrp.com
Thu Jan 6 21:06:35 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan de Haan wrote:
|I am using iptables to block all computers except of internal mail server
|from connecting to offsite SMTP servers using the following rule:
|
|/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s ! 192.168.1.5
- --dport
|25 -j DROP
|
|We now have a second mail server that needs to send out, but I can
firgure
|out how to add two exceptions. If I add another -s I just get an error.
|How can I do this?
|
| -Dan
|
Dan,
Are the two IP's on the same subnet?
If so, you can use the IP mask option to broaden the exception; or to
say only which ones you will accept and then add a last rule that
drops all others.
- -s 192.168.1.5 --dport 25 -j ACCEPT <<-- This will allow
connections from this IP
- -s 192.168.1.15 --dport 25 -j ACCEPT <<-- This will allow
connections from another IP
- -s 0.0.0.0 --dport 25 -j DROP <<-- This will DROP
everyone else that doesn't ACCEPT above.
This is a simpler approach and allows for expansion of the list...
But, a subnet is better served like this:
- -s 192.168.1.0/255.255.255.0 --dport 25 -j ACCEPT
- -s 0.0.0.0 --dport 25 -j DROP
I personally like to use a REJECT with destination port unavailable /
unreachable... It is nicer and cleaner on people to fix the problems
then look at a stuck application.
James.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3ahbkNLDmnu1kSkRAscfAJ4gpyN7kkiZIVTEvHjm89URZglvDgCdFwtW
5HBn+e8XBGKGX9owonRiyjg=
=c5vM
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list