I've got several computers on my home LAN. I'm setting up one to be a web server, email server, and ftp server. It will not be used as a normal desktop system. The web server and ftp server will be open to the outside. The email will get mail via fetchmail POP3 from my various email accounts and store it on my home IMAP server so that my internal users (family) can access it from anywhere internal or external via IMAP clients. I have sendmail pushing outgoing mail via my ISP's SMTP server (Smarthost feature). I also want to allow SSH access to my server from outside so I can administer it from anywhere. I'll use ssh, sftp, stunnel and VPN where appropriate for outside access (I haven't completely figured out all that yet, but I'm working on it, so far no questions.)
I have a hardware router firewall protecting me now with access from outside my LAN to the inbound server ports closed off while I'm testing. I am trying to learn iptables so I can set it up as a backup firewall for this particular system. The iptables table that is active now is the Slackware 11.0 default, which I think is pretty much open if I understand it right.
I'm confused about which ports need to be open for INPUT and which for OUTPUT to accommodate my desired setup. I don't want something open if it does not need to be. Here is the iptables configuration I've built (but not activated) so far. It was based on a simple configuration I found somewhere, and no I don't really know what all those numbers in brackets mean.
Code:
*mangle
:PREROUTING ACCEPT [48436:11233990]
:INPUT ACCEPT [48436:11233990]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [29730:6162034]
:POSTROUTING ACCEPT [29730:6162034]
COMMIT
*nat
:PREROUTING ACCEPT [391:49336]
:POSTROUTING ACCEPT [1793:110951]
:OUTPUT ACCEPT [1793:110951]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1418:147349]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 453 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 631 -j ACCEPT
-A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
COMMIT
Questions:
1) I have a CUPS server running on a desktop system on my LAN and I want to be able to print to it from my server system, since my server system doesn't have a printer. Do I need to allow only OUTPUT on 631 from my web/mail/ftp server system, or do I need INPUT and OUTPUT?
2) Do I need port 25 to be open for INPUT, OUTPUT, or both? I'm only pushing mail via Smarthost feature to my ISP for outgoing email. I think I only need OUTPUT.
3) I think I need 110 POP3 and 143 IMAP open both for INPUT and OUTPUT because I want to get mail via POP3 from outside email accounts, and let my family access mail on my IMAP server from anywhere. Or do I only need POP3 open for OUTPUT to get mail from my ISP, and INPUT only if I want my family to be able to download mail to their desktops? Do I need OUTPUT on the IMAP port? I'm not accessing an outside IMAP server from this system.
4) I want to accept SSH and FTP and web connections from the outside world, so I think I need INPUT open for those ports. I want to connect to other web sites and originate SSH and FTP from this system, so I think I need OUTPUT open for those ports (21, 22, 80). Is this correct?
I may have thought myself into a muddle here, but I'm getting confused over the concepts of initiating versus accepting connections on various ports, and whether ports have to be open for INPUT and OUTPUT to allow packets to flow once a connection is established.
I hope my questions aren't too silly.