-   Linux - Server (
-   -   iptables for home mail/web/ftp server (

Z038 05-20-2007 04:54 PM

iptables for home mail/web/ftp server
I've got several computers on my home LAN. I'm setting up one to be a web server, email server, and ftp server. It will not be used as a normal desktop system. The web server and ftp server will be open to the outside. The email will get mail via fetchmail POP3 from my various email accounts and store it on my home IMAP server so that my internal users (family) can access it from anywhere internal or external via IMAP clients. I have sendmail pushing outgoing mail via my ISP's SMTP server (Smarthost feature). I also want to allow SSH access to my server from outside so I can administer it from anywhere. I'll use ssh, sftp, stunnel and VPN where appropriate for outside access (I haven't completely figured out all that yet, but I'm working on it, so far no questions.)

I have a hardware router firewall protecting me now with access from outside my LAN to the inbound server ports closed off while I'm testing. I am trying to learn iptables so I can set it up as a backup firewall for this particular system. The iptables table that is active now is the Slackware 11.0 default, which I think is pretty much open if I understand it right.

I'm confused about which ports need to be open for INPUT and which for OUTPUT to accommodate my desired setup. I don't want something open if it does not need to be. Here is the iptables configuration I've built (but not activated) so far. It was based on a simple configuration I found somewhere, and no I don't really know what all those numbers in brackets mean.


:PREROUTING ACCEPT [48436:11233990]
:INPUT ACCEPT [48436:11233990]
:OUTPUT ACCEPT [29730:6162034]
:POSTROUTING ACCEPT [29730:6162034]

:OUTPUT ACCEPT [1793:110951]

:OUTPUT ACCEPT [1418:147349]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 453 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p all -s -d -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 631 -j ACCEPT
-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT


1) I have a CUPS server running on a desktop system on my LAN and I want to be able to print to it from my server system, since my server system doesn't have a printer. Do I need to allow only OUTPUT on 631 from my web/mail/ftp server system, or do I need INPUT and OUTPUT?

2) Do I need port 25 to be open for INPUT, OUTPUT, or both? I'm only pushing mail via Smarthost feature to my ISP for outgoing email. I think I only need OUTPUT.

3) I think I need 110 POP3 and 143 IMAP open both for INPUT and OUTPUT because I want to get mail via POP3 from outside email accounts, and let my family access mail on my IMAP server from anywhere. Or do I only need POP3 open for OUTPUT to get mail from my ISP, and INPUT only if I want my family to be able to download mail to their desktops? Do I need OUTPUT on the IMAP port? I'm not accessing an outside IMAP server from this system.

4) I want to accept SSH and FTP and web connections from the outside world, so I think I need INPUT open for those ports. I want to connect to other web sites and originate SSH and FTP from this system, so I think I need OUTPUT open for those ports (21, 22, 80). Is this correct?

I may have thought myself into a muddle here, but I'm getting confused over the concepts of initiating versus accepting connections on various ports, and whether ports have to be open for INPUT and OUTPUT to allow packets to flow once a connection is established.

I hope my questions aren't too silly.

yawe_frek 05-20-2007 08:27 PM

just remember this things.

1. Do not use the DROP target/jump in the mist of accept target, instead use a default policy to drop every thing like this.

iptables -P INPUT -j DROP
iptables -P OUTPUT -j DROP
iptables -P FORWARD -j DROP

2.then add ur rules, then DONT forget one more thing. at the end of all ur rules.

do this

iptables -t filter -A INPUT -j DROP
iptables -t filter -A OUTPUT -j DROP
iptables -t filter -A FORWARD -j DROP

its works fine for me.

Z038 05-22-2007 07:33 PM

Thanks for the warnings on order. I am reading up on iptables to make sure I understand how it should work.

As for the other questions, I will experiment by closing off all ports, then open them one at a time to see what goes through and what does not.

p_s_shah 05-24-2007 03:03 AM


If you have a hardware router firewall, you should assign your public IP [ or IP provided by ISP ] to firewall itself.

Your sever and other desktop systems should be in same network. Only this local network should be allowed from Hardware Firewall. Of course make necessary changes when you shift to VPN.

Upto my understanding you are running single Web/FTP server, So you can just forward request for HTTP [80], FTP [21] & ports for other services from your firewall's IP to Internal Server's IP by modifying configuration of Hardware Firewall.

Now for IPtables :
First of all set all policies to Drop as default.
Allow all incoming/outgoing traffic from local network to local network in case of trusted LAN.
Now start allowing traffic for respective port for outside access.

1) As you are allowing incoming/outgoing traffic in your LAN and your CUPS server isn't running on your Web/FTP server, there is no need for setting iptables rule for this.

2) Allow only Output for SMTP.

Keep one thing in mind,
If you are providing service [ like FTP, HTTP ] then open that port for incoming/outgoing requests. If you are just using service [ like FTP of other servers ], your connections are not made through standard ports [like 21,80] , so no need to change iptables config.

Do following to better understand :
1. Start FTP service.
Run `netstat -an`
You will be able to see listen:21.
Stop FTP service.
2. Use ftp command line client to connect to some other FTP server.
Run `netstat -an`
You will see random port connected to Remote server's 21 port.

I hope you are able to understand what i am saying.

yawe_frek 05-24-2007 11:37 AM

hi p_s_shah,

do u have an idea of how i would use tc (traffic control) for uplink sharing.
i have successfull solved the downlink issue.


Z038 05-24-2007 06:34 PM

Thanks p_s_shah. Yes, I do I understand now. The netstat command helped clear make it clear for me.

All times are GMT -5. The time now is 04:47 AM.