iptables email routing - Networking

This is a discussion on iptables email routing - Networking ; I'm looking to add some filters to give only certain servers the ability to communicate with the internet. This is how the server my company has is set up: eth0 and eth1 are local networks (we have 2 ip schemes ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: iptables email routing

  1. iptables email routing

    I'm looking to add some filters to give only certain servers the
    ability to communicate with the internet. This is how the server my
    company has is set up:

    eth0 and eth1 are local networks (we have 2 ip schemes in the company)
    eth2 is the internet

    I'm new to iptables, so I wanted to make sure I'm thinking correctly
    before I implement the commands for this.
    What I was thinking was this:
    iptables -I OUTPUT -s !xxx.xxx.xxx.xxx -o ethX -p tcp --dport 25 -j
    DROP
    where xxx.xxx.xxx.xxx is the server address that I want to allow
    (there would be a command for each server, so let's say 10.0.0.1,
    10.0.0.2, and 10.0.1.1 are the servers I'm allowing). and the X in
    ethX is either 0 or 1 for the internal networks. I'm hesitant to put
    it on eth2, because I'm not sure if that would block traffic coming in
    or not. As for OUTPUT, another possibility was FORWARD.
    Am I going about this the right way? If anything else is trying to
    sent email, I want it to drop it (to prevent anyone accidentally
    sending spam). Thanks for any help you can give me.

    Brian


  2. Re: iptables email routing

    Brian Ronk wrote:
    > I'm looking to add some filters to give only certain servers the
    > ability to communicate with the internet. This is how the server my
    > company has is set up:
    >
    > eth0 and eth1 are local networks (we have 2 ip schemes in the company)
    > eth2 is the internet
    >
    > I'm new to iptables, so I wanted to make sure I'm thinking correctly
    > before I implement the commands for this.
    > What I was thinking was this:
    > iptables -I OUTPUT -s !xxx.xxx.xxx.xxx -o ethX -p tcp --dport 25 -j
    > DROP
    > where xxx.xxx.xxx.xxx is the server address that I want to allow
    > (there would be a command for each server, so let's say 10.0.0.1,
    > 10.0.0.2, and 10.0.1.1 are the servers I'm allowing). and the X in
    > ethX is either 0 or 1 for the internal networks. I'm hesitant to put
    > it on eth2, because I'm not sure if that would block traffic coming in
    > or not. As for OUTPUT, another possibility was FORWARD.
    > Am I going about this the right way? If anything else is trying to
    > sent email, I want it to drop it (to prevent anyone accidentally
    > sending spam). Thanks for any help you can give me.


    I'd recommend FORWARD.

    [insert rules to allow whatever FORWARD to Internet here, then ...]
    -A FORWARD -i eth0 -o eth2 -j DROP
    -A FORWARD -i eth1 -o eth2 -j DROP

    Stick in "-m tcp -p tcp --dport 25" if you want.

+ Reply to Thread