-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Dan de Haan wrote:
|I am using iptables to block all computers except of internal mail server |from connecting to offsite SMTP servers using the following rule: | |/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -s ! 192.168.1.5 - --dport |25 -j DROP | |We now have a second mail server that needs to send out, but I can firgure |out how to add two exceptions. If I add another -s I just get an error. |How can I do this? | | -Dan | Dan,
Are the two IP's on the same subnet?
If so, you can use the IP mask option to broaden the exception; or to say only which ones you will accept and then add a last rule that drops all others.
- -s 192.168.1.5 --dport 25 -j ACCEPT <<-- This will allow connections from this IP - -s 192.168.1.15 --dport 25 -j ACCEPT <<-- This will allow connections from another IP - -s 0.0.0.0 --dport 25 -j DROP <<-- This will DROP everyone else that doesn't ACCEPT above.
This is a simpler approach and allows for expansion of the list... But, a subnet is better served like this:
- -s 192.168.1.0/255.255.255.0 --dport 25 -j ACCEPT - -s 0.0.0.0 --dport 25 -j DROP
I personally like to use a REJECT with destination port unavailable / unreachable... It is nicer and cleaner on people to fix the problems then look at a stuck application.
James. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3ahbkNLDmnu1kSkRAscfAJ4gpyN7kkiZIVTEvHjm89URZglvDgCdFwtW 5HBn+e8XBGKGX9owonRiyjg= =c5vM -----END PGP SIGNATURE-----