Re: Bridge/VPN question.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 23 June 2004 9:42 am, Dharmendra T. wrote:

> Hi,
>
> Are there any other rules you have defined? If no, this may work:
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server>
> --dport 25 -j ACCEPT
>  iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server>
> --dport 25 -j ACCEPT

The above rules (if you are propsing them as a complete ruleset) are a highly 
secure system - nothing will get through it, and nothing will get to 
communicate with the box itself.

Why?

1. You have a default DROP policy on FORWARD (good idea), and a rule allowing 
packets to TCP port 25 on a specific server, but no rule allowing replies 
back again.   Therefore no traffic gets *through* the machine.

2. You have a default DROP policy on INPUT, and no rules in the INPUT chain 
allowing anything at all, therefore no packets can get in (which makes the 
rule in the OUTPUT chain allowing some packets out somewhat pointless).

Regards,

Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux