Quote:
Originally Posted by fbeye
Ahhh I get what you are suggesting. Block all incoming except the ip I choose and then no more to be done.
Boy, I was not thinking Big enough
This then raises again my other question... when blocking ALL IP's from incoming except mine, am i still able to receive incoming email from the Internet? I am not knowing if incoming emails would be considered as connection attempts or even failed attempts to the server and be rejected as such. As far as then adding specific ports to allowing incoming connections based on server type (email) if that would put me back to square one as I would be getting attached over again.
|
You can use iptables to block based on direction (in/out), port number (for some protocols), protocol (TCP,UDP,ICMP), and IP address, or any combination of those. Some distros have a front end to iptables called UFW, but you can do everything with
iptables-save and
iptables-restore. There's also a package iptables-persistent which makes it easy to save rules.
When changing iptables rules, don't lock yourself out. Use
iptables-apply to safely test your rules or else use an
at job to restore the last known-good set manually.
When first implementing new rules, set iptables to log blocked packets and then go through the logs before they get too big. Then you can adjust the filter as needed before something breaks. Then as things work, turn off logging of the filter.
Ok. With that out of the way, for incoming mail you'll need to allow incoming SSH (usually port 22) TCP to manage the system. For the actual mail you'll need to allow incoming SMTP (port 25) and SMTPS (port 465) if you are using it. Check to be sure. Then to read the mail you'll also need to allow incoming IMAPS (usually port 993) to be able to read your mail. Oh, and of course the incoming component of related/established connections as well.
Hopefully I have not missed anything there.
If it's a production server, and not going to be changing, and only doing mail you can later try to tighten down the outgoing connections but that is an adventure in itself.