Hi Gavin, On Mon, Jan 10, 2005 at 10:30:59AM +0000, Gavin Hamill told us: > Hello :) > > Normally I permit only port 80 incoming to our webservers, but since each > webserver also sends out booking-complete confirmation emails, I would like > to also enable incoming port 25 for those remote mail servers who 'call back' > to check that the envelope sender / HELO address is truly a reachable mail > server. > > I don't particularly want to leave port 25 simply open, but only for those > hosts with whom an outgoing port 25 connection is already established with. > > Is this possible? Yes, should be doable by using the "recent" extension with something like this: iptables -I OUTPUT -p tcp --dport 25 -m recent --set --rdest -j ACCEPT iptables -I INPUT -p tcp --dport 25 -m recent --update --seconds 60 -j ACCEPT The first rule will add the destination ip address of the outgoing SMTP session to the recent list. The second rule will match (and allow) incoming SMTP sessions from ips which are on the recent list and not older than 60 seconds (and update the recent list with the source ip, therefore extending the time frame for this ip for another 60 seconds). (I must admit that I haven't made heavy use of the recent match myself, so these two rules might not be 100% correct. Look at it as a starting point :-) here is the ipt_recent documentation: http://snowman.net/projects/ipt_recent/ ) I'm assuming a default policy of drop here, otherwise you might need an explicit DROP rule for packets not matched by the ACCEPT rule. HTH Sven > > Cheers, > Gavin. -- Linux zion 2.6.10-bk7 #0 Fri Jan 7 19:08:39 CET 2005 i686 athlon i386 GNU/Linux 12:08:18 up 2 days, 16:45, 1 user, load average: 0.00, 0.04, 0.05
Attachment:
pgpkayoVXJzPl.pgp
Description: PGP signature
