You would still need netfilter to prevent other users from using the internet as a back door. For example, financial firms must log all incoming and outgoing smtp traffic. To accomplish this you need to ensure that your users cannot access external SMTP servers otherwise they could sent out unlogged messages. We have done this in the past for a few companies. This forces the user to use the sendmail server for their email. I think this is the goal of the requester. Gary Smith ________________________________ From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx on behalf of Aleksandar Milivojevic Sent: Wed 10/27/2004 11:20 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Restrict LAN users to send mail to Internet but allow to send mail to other LAN user. ads nat wrote: > Now I want to allow LAN users to send emails to each > other on LAN but want to allow some LAN users to send > email to Internet(Outside world). > Is there any way using Linux iptables firewall to > acieve this requirement. I will assume that LAN users are allowed to connect to mail server only, and not to outside world. Controlling this on Sendmail level would be much more simpler and efficient. Assuming you are using Sendmail as your MTA. Netfilter isn't suited for this, because there's no way for it to know if SMTP connection between client (LAN user) and server is delivery of email addressed to another LAN user, or to somebody at the outside. Also, Sendmail will take care of generating appropriate error messages back to the users, while Netfilter would simply block the traffic without any explanation to the user what happened. -- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
