LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-02-2005, 12:36 AM   #1
lynksinc
LQ Newbie
 
Registered: Nov 2005
Posts: 3

Rep: Reputation: 0
Limit incoming smtp connection by ip using iptables


Newbie to iptables here.


I am trying work out how limit incoming smtp connections to one of my mail servers based on the ip of the sender using iptables. I only want to recieve incoming smtp connections for my class c's.

Even better I would like to receive incoming smtp connections only from one of my ip's and allow outgoing smtp for all of my class c's.


Let me know if more info is needed.
 
Old 11-02-2005, 08:01 AM   #2
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 441

Rep: Reputation: 141Reputation: 141
Re: Limit incoming smtp connection by ip using iptables

Quote:
Originally posted by lynksinc
Newbie to iptables here.


I am trying work out how limit incoming smtp connections to one of my mail servers based on the ip of the sender using iptables. I only want to recieve incoming smtp connections for my class c's.

Even better I would like to receive incoming smtp connections only from one of my ip's and allow outgoing smtp for all of my class c's.


Let me know if more info is needed.
If you put the iptables rules to the mailserver machine
then you will use the INPUT chain.

So a simple rule would be

Code:
iptables -A INPUT -s __IP__ -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j DROP
You can choose this with only one rule like this
Code:
iptables -A INPUT -s ! __IP__ -p tcp --dport 25 -j DROP
It is a very simple rule.
If you have an other chain that you go to from INPUT you can put it there.

If you have 192.168.0.0 network and want to allow the class c then you put "192.168.0.0/24" for __IP__
if you want to allow only a ip (e.g 192.168.0.5) you put "192.168.0.5" for __IP__
 
Old 11-02-2005, 11:34 AM   #3
lynksinc
LQ Newbie
 
Registered: Nov 2005
Posts: 3

Original Poster
Rep: Reputation: 0
I found the same code while searching for an answer. I tried this but here is what I run into.


I am currently allowing all traffic to port 25.

Here is my current iptables config.


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
116K 49M RH-Firewall-1-INPUT all -- any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 127K packets, 63M bytes)
pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
26 1248 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere anywhere
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp
112K 48M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
1418 68454 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dptop3
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dptlatypusd
1 48 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
2069 116K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
866 117K REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited


I just want to replace the line:

2069 116K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp

with:

0 0 ACCEPT tcp -- any any ip_I_want_to_receive_from anywhere state NEW tcp dpt:smtp

Is this correct?


Also after I have entered a rule it seems that if iptables is restarted I loose all of my changes.


Sorry for bugging you guys with the basics, just very new to iptables.

Thanks
 
Old 11-02-2005, 04:48 PM   #4
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 441

Rep: Reputation: 141Reputation: 141
Quote:
Originally posted by lynksinc
I found the same code while searching for an answer. I tried this but here is what I run into.


I am currently allowing all traffic to port 25.

Here is my current iptables config.


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
116K 49M RH-Firewall-1-INPUT all -- any any anywhere anywhere

Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destination
2069 116K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp

I just want to replace the line:

2069 116K ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp

with:

0 0 ACCEPT tcp -- any any ip_I_want_to_receive_from anywhere state NEW tcp dpt:smtp

Is this correct?


Also after I have entered a rule it seems that if iptables is restarted I loose all of my changes.


Sorry for bugging you guys with the basics, just very new to iptables.

Thanks
Lets suppose you change the rule and make it as you mention here.
So when someone from ip_i_want_to_receive_from connects to smtp it gets matched by this rule and gets accepted.
If someone from some other ip connects to smtp it doesn't get matched by this rule and it gets matched by the REJECT rule in the end
so i guess it is ok

When you enter a rule from a console it is logical that it is lost when iptables is restarted.
You must put it in the appropriate place so when iptables starts (or restarts) it is loaded.
I don't know which distribution you use, so i can't tell you what to do.
I am not sure but i think that in Redhat/Fedora/Mandrake you look at /etc/sysconfig
 
Old 11-03-2005, 12:27 PM   #5
lynksinc
LQ Newbie
 
Registered: Nov 2005
Posts: 3

Original Poster
Rep: Reputation: 0
Got this worked out.

After your metioning the /etc/sysconfig/iptables thing.

Change my config there and all was well.


Your help is much apprecaited.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfis SMTP forwarding and Incoming SMTP pheasand Linux - Software 0 04-27-2005 05:32 PM
Limit Incoming Mail to Specific Users barriger Linux - General 1 04-17-2005 10:22 PM
IPCop : Limit incoming traffic to selected IPs and hostnames lothario Linux - Networking 0 01-28-2005 06:35 PM
Why Sendmail takes so much time to handle incoming SMTP packets? maxerg Linux - Networking 0 01-28-2004 08:07 PM
Block incoming port Iptables cli_man Linux - Networking 5 08-11-2003 08:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration