iptables question with multiple interfaces - Networking

This is a discussion on iptables question with multiple interfaces - Networking ; I have a MASQUERADE server with 3 nic's 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are separate interfaces both sharing the internet connection. My question is i need to block port 25 only on ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: iptables question with multiple interfaces

  1. iptables question with multiple interfaces

    I have a MASQUERADE server with 3 nic's

    1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
    separate interfaces both sharing the internet connection.

    My question is i need to block port 25 only on one of the interfaces.
    So allow outgoing port 25 connections on the eth1 network but not eth2
    network. currently i am using this rule:

    /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP

    which of course blocks all connects to port 25.

    I just need to block out going port 25 connections on one interface.

    Any ideas?

    Thanks in advance.

  2. Re: iptables question with multiple interfaces

    phiveohtwo@gmail.com wrote:
    > I have a MASQUERADE server with 3 nic's
    >
    > 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
    > separate interfaces both sharing the internet connection.
    >
    > My question is i need to block port 25 only on one of the interfaces.
    > So allow outgoing port 25 connections on the eth1 network but not eth2
    > network. currently i am using this rule:
    >
    > /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP
    >
    > which of course blocks all connects to port 25.
    >
    > I just need to block out going port 25 connections on one interface.


    man iptables

    /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP

    >
    > Any ideas?
    >
    > Thanks in advance.


  3. Re: iptables question with multiple interfaces

    Hello,

    Philippe.Weill@aero.jussieu.fr a écrit :
    > phiveohtwo@gmail.com wrote:
    >
    >> I have a MASQUERADE server with 3 nic's
    >>
    >> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
    >> separate interfaces both sharing the internet connection.
    >>
    >> My question is i need to block port 25 only on one of the interfaces.
    >> So allow outgoing port 25 connections on the eth1 network but not eth2
    >> network. currently i am using this rule:


    Do you mean "from the eth1 network" ?

    > /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP


    Unless I misunderstood the question, I'd use -i (input interface)
    instead of -o (output interface). Also, I'd use REJECT instead of DROP
    in order to avoid the looong time-out delay on the client, unless such a
    delay is desirable for the OP.

  4. Re: iptables question with multiple interfaces

    On Wed, 12 Dec 2007 11:23:55 +0100, Pascal Hambourg wrote:

    > Unless I misunderstood the question, I'd use -i (input interface)
    > instead of -o (output interface).


    The original question made it appear that connections to port 25 on
    servers not "outside" were okay. Perhaps connections from eth1 to ports
    25 somewhere on eth2 are okay?

    But blocking *only* with the -o would block connections to outside ports
    25 from eth2 as well as eth1. That wasn't mentioned in the question, and
    so might be undesirable.

    So why not "-i eth1 -o eth0"? Would that work?

    Alternatively, if both eth1 and eth2 have INPUT rules that prevent source
    address forging, then the output block on eth0 could use -s instead of -o.

    - Andrew


  5. Re: iptables question with multiple interfaces

    Pascal Hambourg wrote:
    > Hello,
    >
    > Philippe.Weill@aero.jussieu.fr a écrit :
    >> phiveohtwo@gmail.com wrote:
    >>
    >>> I have a MASQUERADE server with 3 nic's
    >>>
    >>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
    >>> separate interfaces both sharing the internet connection.
    >>>
    >>> My question is i need to block port 25 only on one of the interfaces.
    >>> So allow outgoing port 25 connections on the eth1 network but not eth2
    >>> network. currently i am using this rule:


    I read "not allow outgoing smtp connection on eth2"
    but perhaps it's not the question

    >
    > Do you mean "from the eth1 network" ?
    >
    >> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP

    >
    > Unless I misunderstood the question, I'd use -i (input interface)
    > instead of -o (output interface). Also, I'd use REJECT instead of DROP
    > in order to avoid the looong time-out delay on the client, unless such a
    > delay is desirable for the OP.


    me also I prefer REJECT but the poster say :
    /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP

  6. Re: iptables question with multiple interfaces

    On Dec 12, 11:43 am, Philippe.We...@aero.jussieu.fr wrote:
    > Pascal Hambourg wrote:
    > > Hello,

    >
    > > Philippe.We...@aero.jussieu.fr a écrit :
    > >> phiveoh...@gmail.com wrote:

    >
    > >>> I have a MASQUERADE server with 3 nic's

    >
    > >>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
    > >>> separate interfaces both sharing the internet connection.

    >
    > >>> My question is i need to block port 25 only on one of the interfaces.
    > >>> So allow outgoing port 25 connections on the eth1 network but not eth2
    > >>> network. currently i am using this rule:

    >
    > I read "not allow outgoing smtp connection on eth2"
    > but perhaps it's not the question
    >
    >
    >
    > > Do you mean "from the eth1 network" ?

    >
    > >> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP

    >
    > > Unless I misunderstood the question, I'd use -i (input interface)
    > > instead of -o (output interface). Also, I'd use REJECT instead of DROP
    > > in order to avoid the looong time-out delay on the client, unless such a
    > > delay is desirable for the OP.

    >
    > me also I prefer REJECT but the poster say :
    > /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP


    Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
    eth2 (192.168.0.1) is gatway 2.

    I want to allow clients on eth1 to be able to connect to any port 25
    mail server on the internet. But clients on gatway 2 are not allowed
    any outgoing connects on port 25.

    I was think last night of somthing like this:

    /usr/sbin/iptables -t nat -A PREROUTING -s -p tcp --
    destination-port 80 -j DROP




  7. Re: iptables question with multiple interfaces

    On Dec 13, 4:52 pm, phiveoh...@gmail.com wrote:
    > On Dec 12, 11:43 am, Philippe.We...@aero.jussieu.fr wrote:
    >
    >
    >
    > > Pascal Hambourg wrote:
    > > > Hello,

    >
    > > > Philippe.We...@aero.jussieu.fr a écrit :
    > > >> phiveoh...@gmail.com wrote:

    >
    > > >>> I have a MASQUERADE server with 3 nic's

    >
    > > >>> 1 (eth0) is my internet connection and the other 2 (eth1 / eth2) are
    > > >>> separate interfaces both sharing the internet connection.

    >
    > > >>> My question is i need to block port 25 only on one of the interfaces..
    > > >>> So allow outgoing port 25 connections on the eth1 network but not eth2
    > > >>> network. currently i am using this rule:

    >
    > > I read "not allow outgoing smtp connection on eth2"
    > > but perhaps it's not the question

    >
    > > > Do you mean "from the eth1 network" ?

    >
    > > >> /usr/sbin/iptables -I FORWARD -p tcp -o eth2 --dport 25 -j DROP

    >
    > > > Unless I misunderstood the question, I'd use -i (input interface)
    > > > instead of -o (output interface). Also, I'd use REJECT instead of DROP
    > > > in order to avoid the looong time-out delay on the client, unless sucha
    > > > delay is desirable for the OP.

    >
    > > me also I prefer REJECT but the poster say :
    > > /usr/sbin/iptables -I FORWARD 1 -p tcp --dport 25 -j DROP

    >
    > Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
    > eth2 (192.168.0.1) is gatway 2.
    >
    > I want to allow clients on eth1 to be able to connect to any port 25
    > mail server on the internet. But clients on gatway 2 are not allowed
    > any outgoing connects on port 25.
    >
    > I was think last night of somthing like this:
    >
    > /usr/sbin/iptables -t nat -A PREROUTING -s -p tcp --
    > destination-port 80 -j DROP


    ops that destination should be 25 not 80

  8. Re: iptables question with multiple interfaces

    phiveohtwo@gmail.com a écrit :
    >
    > Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
    > eth2 (192.168.0.1) is gatway 2.
    >
    > I want to allow clients on eth1 to be able to connect to any port 25
    > mail server on the internet. But clients on gatway 2 are not allowed
    > any outgoing connects on port 25.


    Are clients on eth2 allowed to connect to SMTP servers on eth1 ?

    > I was think last night of somthing like this:
    >
    > /usr/sbin/iptables -t nat -A PREROUTING -s -p tcp --
    > destination-port 25 -j DROP


    The 'nat' table is not intended for filtering, it is reserved for
    address and port translation. Also, matching on the input interface is
    more reliable that matching on the source address.

    If you want to prohibit the clients on eth2 from connecting to SMTP
    servers outside their own network (including eth1) :

    iptables -I FORWARD -i eth2 -p tcp --dport 25 -j DROP (or REJECT)

    If you want to prohibit the clients on eth2 from connecting to servers
    on internet only (eth0) :

    iptables -I FORWARD -i eth2 -o eth0 -p tcp --dport 25 -j DROP

  9. Re: iptables question with multiple interfaces

    On Dec 14, 5:38 am, Pascal Hambourg
    wrote:
    > phiveoh...@gmail.com a écrit :
    >
    >
    >
    > > Basically i have 2 networks let say eth1 (10.0.0.1) is gatway 1 and
    > > eth2 (192.168.0.1) is gatway 2.

    >
    > > I want to allow clients on eth1 to be able to connect to any port 25
    > > mail server on the internet. But clients on gatway 2 are not allowed
    > > any outgoing connects on port 25.

    >
    > Are clients on eth2 allowed to connect to SMTP servers on eth1 ?
    >
    > > I was think last night of somthing like this:

    >
    > > /usr/sbin/iptables -t nat -A PREROUTING -s -p tcp --
    > > destination-port 25 -j DROP

    >
    > The 'nat' table is not intended for filtering, it is reserved for
    > address and port translation. Also, matching on the input interface is
    > more reliable that matching on the source address.
    >
    > If you want to prohibit the clients on eth2 from connecting to SMTP
    > servers outside their own network (including eth1) :
    >
    > iptables -I FORWARD -i eth2 -p tcp --dport 25 -j DROP (or REJECT)
    >
    > If you want to prohibit the clients on eth2 from connecting to servers
    > on internet only (eth0) :
    >
    > iptables -I FORWARD -i eth2 -o eth0 -p tcp --dport 25 -j DROP


    eth1 and eth2 are just internal networks (like 25 clients on each)
    they are all desktops so there will be no "internal" mail server
    running. I just need to allow 1 group to access external mail servers
    and the other group is not allowed.

    I'll test out your suggestion above and work with it.

    Thank you so much for your help.

+ Reply to Thread