Hi all,

I am relatively new to the iptables thing and need to secure a mail server with only these ports open to the outside world:

25, 3535, 389, 636, 5729, 443, 993, 22

We use imaps, smtp, https, an Outlook connector thingy and ssh as well as we want to test ldap secure and non-secure - ultimately going only with 636.

OS is RHEL 4

this is the current iptables - we are also behind a firewall that blocks all ports except the above. There are things in there that I added to try to get some things running and I know I need to clean it up.. but since I'm a noob at iptables, I'm afraid it's a mess. I don't want to experiment since the mail server is "in use" by a company I consult to.

Can anyone help me clean this up without breaking our current access???
I would be forever in your debt for the help..

Just bold the lines I should remove and perhaps I have extra chains that are not needed as well... Feel free to post an example of a correctly configured iptables that essentially allows the same ports and I'll adapt mine.

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere
ACCEPT tcp -- mail.ourdomain.com mail.ourdomain.com tcp dpt:8009
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere LOG level debug prefix `IPTABLES ICMP-IN '
DROP icmp -- anywhere anywhere
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:5767 flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

I highly recommend using this site to help build an iptables script and then modifying it to fit your needs. It was VERY helpful to me.

Easy Firewall Generator: http://easyfwgen.morizot.net/gen/

It has a lot of options and every time you change some stuff and hit generate it will ask you for more info if needed.
(this may require some kernel modules - but if your kernel is > 2.6 I bet it'd be fine) (verification anyone)

Thank you Checkmate.. I will check it out!