> Hi, > I have a mail server which has two interface eth0[internal], > eth1[external]. i want certain ports like 25, 110, 995 will > be open for > outsider as wel as local, and some port 10000, 5666 , will be open for > local only.. , if anyone help me out regarding this... > > i'm a mail-system guy,so i'm not very much aware of iptables rules, if > anyone give me some documentation links for Mailling System related > iptables documentation, that will be helpful for me It's best practice to have everything closed and just open up the ports (to specific IP's) where needed. $LAN could be the network address you're using or a specific IP. $ipt -P INPUT DROP $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A INPUT -m state --state NEW -i lo -j ACCEPT $ipt -A INPUT -m state --state NEW -p tcp -m multiport \ --dports 25,110,995 -j ACCEPT $ipt -A INPUT -m state --state NEW -s $LAN -p tcp \ -m multiport --dports 5666,10000 -j ACCEPT If you don't have the multiport match, you can do this instead: $ipt -P INPUT DROP $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A INPUT -m state --state NEW -i lo -j ACCEPT $ipt -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT $ipt -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT $ipt -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT $ipt -A INPUT -m state --state NEW -s $LAN -p tcp \ --dport 5666 -j ACCEPT $ipt -A INPUT -m state --state NEW -s $LAN -p tcp \ --dport 10000 -j ACCEPT As you can see the latter do the same rules as the first rules, there are just more rules to process. Oskar Andreasson wrote a good iptables tutorial. http://iptables-tutorial.frozentux.net/iptables-tutorial.html Grts, Rob - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
