Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

iptables

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


admin at dslcomputer

Oct 25, 2009, 3:31 AM

Post #1 of 6 (881 views)
Permalink
iptables
Where within the EXIM directory, and sample script, should I install
iptable (replace 1.2.3.4 with IP to allow) rules to block ports 25.

Sample of iptables rules:

iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
iptables -I INPUT -p tcp --dport 2525 -j REJECT

iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
iptables -I INPUT -p tcp --dport 2525 -j REJECT


And, is this the best policy to block port 25?


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


addw at phcomp

Oct 25, 2009, 4:14 AM

Post #2 of 6 (814 views)
Permalink
Re: iptables [In reply to]
On Sun, Oct 25, 2009 at 03:31:14AM -0700, Harold Huggins wrote:
>
> Where within the EXIM directory, and sample script, should I install
> iptable (replace 1.2.3.4 with IP to allow) rules to block ports 25.
>
> Sample of iptables rules:
>
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>
>
> And, is this the best policy to block port 25?

??? Why are you blocking port 25 at all?
You don't want to do the above unless your machine (presumably internal)
can only receive email from IP 1.2.3.4.

You presumably want to be able to receive email from anywhere, so you
need to have something like:

iptables -A INPUT -p TCP --dport smtp -j ACCEPT
iptables -A INPUT -p TCP --dport smtps -j ACCEPT

ie accept incoming email from anywhere.

If you accept authenticated email (eg from peripatetic workers) you may want:

iptables -A INPUT -p TCP --dport submission -j ACCEPT

You should be able to use the names for the port numbers (look in /etc/services)
if not use the numbers: 25, 465 & 587.

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


admin at dslcomputer

Oct 25, 2009, 4:47 AM

Post #3 of 6 (807 views)
Permalink
Re: iptables [In reply to]
No. We built a smarthost that accepts IP Addresses only from DynDNS. The
goal is to block any other IP Address with the exception of DynDNS. Go to
the URL links, below:
http://www.jimmy.co.at/exim.html
https://www.dyndns.com/support/kb/mailhop_filtering.html
http://linux.die.net/man/8/iptables





On Sun, 25 Oct 2009 11:14:36 +0000, Alain Williams <addw [at] phcomp>
wrote:
> On Sun, Oct 25, 2009 at 03:31:14AM -0700, Harold Huggins wrote:
>>
>> Where within the EXIM directory, and sample script, should I install
>> iptable (replace 1.2.3.4 with IP to allow) rules to block ports 25.
>>
>> Sample of iptables rules:
>>
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>>
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>>
>>
>> And, is this the best policy to block port 25?
>
> ??? Why are you blocking port 25 at all?
> You don't want to do the above unless your machine (presumably internal)
> can only receive email from IP 1.2.3.4.
>
> You presumably want to be able to receive email from anywhere, so you
> need to have something like:
>
> iptables -A INPUT -p TCP --dport smtp -j ACCEPT
> iptables -A INPUT -p TCP --dport smtps -j ACCEPT
>
> ie accept incoming email from anywhere.
>
> If you accept authenticated email (eg from peripatetic workers) you may
> want:
>
> iptables -A INPUT -p TCP --dport submission -j ACCEPT
>
> You should be able to use the names for the port numbers (look in
> /etc/services)
> if not use the numbers: 25, 465 & 587.

--
Regards,
Manager, Harold Huggins
DSL Computer
13337 East South St., 416
Cerritos, Ca 90703
Phone: 973-854-4645 x 107
Fax: 973-854-4645
Email: admin [at] dslcomputer
http://dslcomputer.com
http://twitter.com/dslcomputer

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


admin at dslcomputer

Oct 25, 2009, 5:17 AM

Post #4 of 6 (797 views)
Permalink
Re: iptables [In reply to]
Ok. How do I populate a specific range of IP addresses (e.g., iptables)
without using individual addresses?



On Sun, 25 Oct 2009 11:14:36 +0000, Alain Williams <addw [at] phcomp>
wrote:
> On Sun, Oct 25, 2009 at 03:31:14AM -0700, Harold Huggins wrote:
>>
>> Where within the EXIM directory, and sample script, should I install
>> iptable (replace 1.2.3.4 with IP to allow) rules to block ports 25.
>>
>> Sample of iptables rules:
>>
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>>
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
>> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>>
>>
>> And, is this the best policy to block port 25?
>
> ??? Why are you blocking port 25 at all?
> You don't want to do the above unless your machine (presumably internal)
> can only receive email from IP 1.2.3.4.
>
> You presumably want to be able to receive email from anywhere, so you
> need to have something like:
>
> iptables -A INPUT -p TCP --dport smtp -j ACCEPT
> iptables -A INPUT -p TCP --dport smtps -j ACCEPT
>
> ie accept incoming email from anywhere.
>
> If you accept authenticated email (eg from peripatetic workers) you may
> want:
>
> iptables -A INPUT -p TCP --dport submission -j ACCEPT
>
> You should be able to use the names for the port numbers (look in
> /etc/services)
> if not use the numbers: 25, 465 & 587.
>
> --
> Alain Williams
> Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer,
IT
> Lecturer.
> +44 (0) 787 668 0256 http://www.phcomp.co.uk/
> Parliament Hill Computers Ltd. Registration Information:
> http://www.phcomp.co.uk/contact.php
> Past chairman of UKUUG: http://www.ukuug.org/
> #include <std_disclaimer.h>



--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


graeme at graemef

Oct 25, 2009, 6:21 AM

Post #5 of 6 (802 views)
Permalink
Re: iptables [In reply to]
On Sun, 2009-10-25 at 05:17 -0700, Harold Huggins wrote:
> Ok. How do I populate a specific range of IP addresses (e.g., iptables)
> without using individual addresses?

There are many ways to do that.

Unfortunately, as kind as people are on this list and as happy as they
are to help, this isn't the right place to be asking this type of
question.

If anyone would like to help Harold directly, feel free - but please try
to keep responses on this list Exim related. Thanks.

Graeme


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


nmw at ion

Oct 26, 2009, 8:21 AM

Post #6 of 6 (780 views)
Permalink
Re: iptables [In reply to]
Harold Huggins wrote:
> Where within the EXIM directory, and sample script, should I install
> iptable (replace 1.2.3.4 with IP to allow) rules to block ports 25.

Generally, you wouldn't install iptables rules anywhere within the Exim
directory tree. Iptables is a kernel level packet filter for the Linux
kernel. Exim is a cross-platform mail transport agent, a user-land
application, and should not be concerned with kernel level matters on
one specific platform.

Iptables rules are normally dealt with elsewhere within your Linux
configuration. You should use whatever tool you normally use to define
your iptables rules. These are many and varied. Which you use is a
matter of choice, and may well be influenced by whatever flavour of
Linux you are using. If you are not running Linux then you won't be
using iptables.

>
> Sample of iptables rules:
>
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp -s 1.2.3.4 --dport 25 -j ACCEPT
> iptables -I INPUT -p tcp --dport 2525 -j REJECT
>
>
> And, is this the best policy to block port 25?

No. I don't see why you'd want to explicitly block port 2525 (why port
2525?) unless you have something listening on that port, and you have
lax default accept policy. If you have a lax default accept policy then
the rule to accept port 25 is irrelevant. The above combination doesn't
make any sense to me.

There is no need to insert the same rule twice, or to repeat the entire
ruleset twice.

A better policy is to DROP everything and then only allow what you
explicitly require. Accept ESTABLISHED,RELATED traffic. Only accept
state NEW on port 25.

But this isn't directly related to Exim, so it's not really suitable for
this mailing list.


--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw [at] ion
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.