IPTables question

Budi Febrianto bfebrian at gmx.net
Sat Jul 7 05:31:41 UTC 2007


I'm using ipcop as my firewall and now I want to modify it default 
iptables script.
ipcop as default will allow any outgoing connection to the internet.
I want to block all, and only allow a few connection.
I only modify in FORWARD chain.

first, I only block few port to the net, and allow anything.
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s $INTMAIL1 -o eth1 -j SNAT 
--to-source $EXTMAIL1
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -p tcp -m mport --dport 
21,80,81,443,3128,6588,8000,8080,8181 -j DROP

this is works. it only block http and ftp access. outgoing and incoming 
emails works.

now I changed it into this
/sbin/iptables -t nat -A CUSTOMPOSTROUTING -s $INTMAIL1 -o eth1 -j SNAT 
--to-source $EXTMAIL1
/sbin/iptables -A CUSTOMFORWARD -i eth0 -s $MAIL1 -o eth1 -d 0/0 -p tcp 
--dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i eth0 -s $MAIL2 -o eth1 -d 0/0 -p tcp 
--dport 25 -j ACCEPT
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth1 -j DROP

with this, no emails from the net delivers to local mail server and 
email from local not delivered to the net.

Something I forget?


Budi Febrianto
    www.indomino.net/blog





More information about the redhat-list mailing list