Re: POP, SMTP forward question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'll try this post again....

On 1/4/07, Chris Nighswonger <cnighswonger@xxxxxxxxxxxxxxx> wrote:
Hi all,
 I'm fairly new to iptables and would like some input on my firewall
config. I have a linux box setup as a proxy to the internet. It is the
only box on the network with internet access. I use browser proxy
configurations on the client machines to send all http, etc traffic to
the linux box. I want to be able to permit pop and smtp traffic to
flow through the linux box to the internet unproxied, but deny any
other traffic. My current iptables config appears to meet these
requirements well, however, I would like the config to be as tight as
possible without being over paranoid. Here is my current iptables
config. Any suggestions regarding this config are welcome.

# eth2 192.168.2.0/24 Dirty side
# eth0 192.168.0.0/24 Clean side
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth2 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [862:117148]
:INPUT ACCEPT [862:117148]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [861:116919]
:POSTROUTING ACCEPT [861:116919]
COMMIT
*filter
:FORWARD DROP [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m state -o eth0 --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp -m multiport -i eth0 -j ACCEPT --dports 25,110,465,995
-A FORWARD -p tcp -m tcp -o eth2 --dport 31337:31340 --sport 31337:31340 -j DROP
-A FORWARD -s 192.168.0.0/255.255.255.0 -i eth2 -j DROP
-A OUTPUT -p tcp -m tcp -o eth2 --dport 31337:31340 --sport 31337:31340 -j DROP
COMMIT

--
Chris Nighswonger
Network & Systems Director
Foundations Bible College & Seminary
www.foundations.edu
cnighswonger >at< foundations >daught< edu



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux