Hi all,
I am relatively new to the iptables thing and need to secure a mail server with only these ports open to the outside world:
25, 3535, 389, 636, 5729, 443, 993, 22
We use imaps, smtp, https, an Outlook connector thingy and ssh as well as we want to test ldap secure and non-secure - ultimately going only with 636.
OS is RHEL 4
this is the current iptables - we are also behind a firewall that blocks all ports except the above. There are things in there that I added to try to get some things running and I know I need to clean it up.. but since I'm a noob at iptables, I'm afraid it's a mess. I don't want to experiment since the mail server is "in use" by a company I consult to.
Can anyone help me clean this up without breaking our current access???
I would be forever in your debt for the help..
Just bold the lines I should remove and perhaps I have extra chains that are not needed as well... Feel free to post an example of a correctly configured iptables that essentially allows the same ports and I'll adapt mine.
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere
ACCEPT tcp -- mail.ourdomain.com mail.ourdomain.com tcp dpt:8009
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere LOG level debug prefix `IPTABLES ICMP-IN '
DROP icmp -- anywhere anywhere
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:5767 flags:SYN,RST,ACK/SYN
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited