Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
it seems wholly illogical to use iptables to stop the result you are concerned with. you should surely either 1) configure the physical firewall with a standard permit policy to block it, or (or rather *and*) 2) configure postfix to only allow local domains and ip addresses to make access to the outside world never happen in the first place.
it seems wholly illogical to use iptables to stop the result you are concerned with. you should surely either 1) configure the physical firewall with a standard permit policy to block it, or (or rather *and*) 2) configure postfix to only allow local domains and ip addresses to make access to the outside world never happen in the first place.
Thanks acid_kewpie,
I am first time playing with firewall. but my task is to define the iptables rules that only allow internal email. Can you give me some clues how to define the policy?
Evan I can change to sendmail, what network structure is suitable for using iptables for block all incoming and outgoing emails.
well you're not really clear on what the actual scenario is. you mention ports 25, 110 and 143, and postfix will only use the first, there'd be no use of pop3 or imap in your requirements i'd imagine.
I can see why you've tried to be so specific in that rule, but I'd advise against it as the real life scenario doesn't really need it and it can make things overly complex. if you want to only allow clients in the 192.168.1.0/24 subnet to use postfix with an iptables rule then i would say...
iptables -A OUTPUT -p TCP --sport 25 -d ! 192.168.1.0/24 -j DROP
drop all packets leaving the box from port 25 to ip's not in the local subnet. much clearer and no need for things like state tracking here either. possible, but just serves no purpose really.
This rule is to control yourself note, not control unknown untrusted sources, again that is for internet firewalls, which you already have, and in a professional environment i would *not* advocate using iptables here at all outside of duplicating existing rules in better locations.
well you're not really clear on what the actual scenario is. you mention ports 25, 110 and 143, and postfix will only use the first, there'd be no use of pop3 or imap in your requirements i'd imagine.
I can see why you've tried to be so specific in that rule, but I'd advise against it as the real life scenario doesn't really need it and it can make things overly complex. if you want to only allow clients in the 192.168.1.0/24 subnet to use postfix with an iptables rule then i would say...
iptables -A OUTPUT -p TCP --sport 25 -d ! 192.168.1.0/24 -j DROP
drop all packets leaving the box from port 25 to ip's not in the local subnet. much clearer and no need for things like state tracking here either. possible, but just serves no purpose really.
This rule is to control yourself note, not control unknown untrusted sources, again that is for internet firewalls, which you already have, and in a professional environment i would *not* advocate using iptables here at all outside of duplicating existing rules in better locations.
In my iptables report, i should use another host to test the rule, so i Assume 192.168.1.60-80 as external user. and i test the rule using windows and ubuntu.
so as i understand, i also need to block package to the firewall.
iptables -A OUTPUT -p TCP --sport 25 -d ! iprange --src-range 192.168.1.80-192.168.1.100 -j DROP
iptables -A INPUT-p TCP --sport 25 -d ! iprange --src-range 192.168.1.80-192.168.1.100 -j DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.