LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-23-2006, 08:25 AM   #1
Sushy
Member
 
Registered: Sep 2005
Distribution: FreeBSD
Posts: 84

Rep: Reputation: 15
iptables rules to close port


hi!

I need to close port 25 for connections from LAN (192.168.0.0/24), except for ip 192.168.0.1 which is router and is interface for postfix. So I need so that user can send mails only via 192.168.0.1

So can please somebody tell me the iptables rules which reject all connections from 192.168.0.0/24 to port 25, except 192.168.0.1

Thanks.
S.
 
Old 10-23-2006, 10:56 AM   #2
b0uncer
Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
I think iptables handles the rules in the order they're fed to it (could be vice versa, but I think it's this way). So, following that, first create a rule that allows that one ip address have a connection to the port you specified, second create a rule that denies the IPs from connecting to it. I think that should work.

The rules would be something like:
Code:
/sbin/iptables -A INPUT -s 192.168.0.1 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/24 --dport 25 -j ACCEPT
Since I can't test them myself, I won't guarantee they'll work but that's how I'd start trying
 
Old 10-23-2006, 12:25 PM   #3
mossy
Member
 
Registered: Aug 2003
Location: USexIRL
Distribution: *nix
Posts: 849

Rep: Reputation: 30
Quote:
Originally Posted by b0uncer
I think iptables handles the rules in the order they're fed to it (could be vice versa, but I think it's this way). So, following that, first create a rule that allows that one ip address have a connection to the port you specified, second create a rule that denies the IPs from connecting to it. I think that should work.

The rules would be something like:
Code:
/sbin/iptables -A INPUT -s 192.168.0.1 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/24 --dport 25 -j ACCEPT
Since I can't test them myself, I won't guarantee they'll work but that's how I'd start trying


Yes it does do it in order.

Code:
/sbin/iptables -A INPUT -s 192.168.0.1 --dport 25 -j ACCEPT
will allow port 25 traffic from 192.168.0.1


Code:
/sbin/iptables -A INPUT -s 192.168.0.0/24 --dport 25 -j ACCEPT
This is incorrect and should read DROP at the end:

Code:
/sbin/iptables -A INPUT -s 192.168.0.0/24 --dport 25 -j DROP
This will drop all traffic coming from any IP on the /24 on port 25. At this point port 25 traffic from 192.168.0.1 will have passed already when it matched exactly.

Test them for accuracy.
If all else fails:

Code:
man iptables

Last edited by mossy; 10-23-2006 at 12:28 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
iptables rules Fatz Linux - Security 1 08-05-2004 07:04 AM
iptables rules Hegemon Linux - Networking 0 01-28-2004 03:20 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 03:30 AM
iptables rules Darin Linux - Security 1 01-23-2003 05:32 PM


All times are GMT -5. The time now is 06:41 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration