On Wednesday 23 June 2004 9:42 am, Dharmendra T. wrote:
> Hi,
>
> Are there any other rules you have defined? If no, this may work:
>
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server>
> --dport 25 -j ACCEPT
> iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server>
> --dport 25 -j ACCEPT
The above rules (if you are propsing them as a complete ruleset) are a highly
secure system - nothing will get through it, and nothing will get to
communicate with the box itself.
Why?
1. You have a default DROP policy on FORWARD (good idea), and a rule allowing
packets to TCP port 25 on a specific server, but no rule allowing replies
back again. Therefore no traffic gets *through* the machine.
2. You have a default DROP policy on INPUT, and no rules in the INPUT chain
allowing anything at all, therefore no packets can get in (which makes the
rule in the OUTPUT chain allowing some packets out somewhat pointless).
Regards,
Antony.
--
"Black holes are where God divided by zero."
- Steven Wright
Please reply to the list;
please don't CC me.
