Re: IPTABLES question.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan de Haan wrote:

|I am using iptables to block all computers except of internal mail server
|from connecting to offsite SMTP servers using the following rule:
|
|/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s ! 192.168.1.5
- --dport
|25 -j DROP
|
|We now have a second mail server that needs to send out, but I can
firgure
|out how to add two exceptions.  If I add another -s I just get an error.
|How can I do this?
|
|    -Dan
|
Dan,

Are the two IP's on the same subnet?

If so, you can use the IP mask option to broaden the exception; or to
say only which ones you will accept and then add a last rule that
drops all others.

- -s 192.168.1.5 --dport 25 -j ACCEPT      <<--  This will allow
connections from this IP
- -s 192.168.1.15 --dport 25 -j ACCEPT   <<-- This will allow
connections from another IP
- -s 0.0.0.0 --dport 25 -j DROP                  <<-- This will DROP
everyone else that doesn't ACCEPT above.

This is a simpler approach and allows for expansion of the list...
But, a subnet is better served like this:

- -s 192.168.1.0/255.255.255.0 --dport 25 -j ACCEPT
- -s 0.0.0.0 --dport 25 -j DROP

I personally like to use a REJECT with destination port unavailable /
unreachable...  It is nicer and cleaner on people to fix the problems
then look at a stuck application.

James.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB3ahbkNLDmnu1kSkRAscfAJ4gpyN7kkiZIVTEvHjm89URZglvDgCdFwtW
5HBn+e8XBGKGX9owonRiyjg=
=c5vM
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux