Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using squid and dangaurdian to filter web traffic but I would like to allow a certain subnet to be able recieve and send out e-mail via pop3 smtp. Can somebody show me an example of a iptables rule that will allow a specific IP address or a subnet to have only this privledge to send incomming and outgoing email via pop and smtp?
iptables -A FORWARD -i eth1 -o eth0 -p TCP -s 192.168.40.0/24 \
-m multiport --dports 25,110 -m state --state NEW -j ACCEPT
This assumes a policy of DROP, as well as the existance of a rule for packets of state RELATED and ESTABLISHED. It also assumes eth1 is your LAN interface, and eth0 is your WAN.
I tried both of them and I am still have the same issue. I can download e-mail fine(pop is working) and I can connect to my smtp server for outgoing e-mail(because it ask me for the username and password as well as also being able to ping the smtp server). But when I try and send anything it times out and errors saying that it cannot communicate with the smtp server but I can ping it. So I know that is a rule in my firewall that is causing this issue because when I am on the DMZ I am cool. I would like to post my firewall rules but do not want the world seeing it? Here is my layout:
I tried both of them and I am still have the same issue. I can download e-mail fine(pop is working) and I can connect to my smtp server for outgoing e-mail(because it ask me for the username and password as well as also being able to ping the smtp server). But when I try and send anything it times out and errors saying that it cannot communicate with the smtp server but I can ping it. So I know that is a rule in my firewall that is causing this issue because when I am on the DMZ I am cool.
It's easy to see what is getting filtered. Just have a LOG rule log any filtered packet. BTW, are you placing the rule in a proper location? If the packets get sent to DROP or REJECT by a prior rule then they'll never see this rule.
Quote:
can I send you a copy of my firewall so you can take a look at it and tell me if you can see an issue?
Posting your rules here isn't a security issue if you make sure to remove/obfuscate any of your public IP addresses in it. Typically this would only be the IP(s) of your WAN interface. Trust me, you are much better-off having the entire LQ community looking at your rules instead of just me. BTW, we'd only need to see your FORWARD, PREROUTING, and POSTROUTING rules.
If you are still hesitant to publicly post the output of the above commands, then go ahead and email the output to me. I'll have a look at it, but I'll post my feedback on this thread, so that anyone might benefit.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.