> i have made one iptables rule set for my mailserver, but the thing is > that what i want from my rules, it's not responding in that way i > want... might be some thing wrong with my ruleset. > > > 1) Locally incoming ssh should be allowed from 2 local ips > 2) 25, 110, 995, 80, 443 should be open for 0/0. > 3) 10000, 5666 should be open for LAN[192.168.1.0/24] Network > > Those are the things i want..... Here is my ruleset in my > MAILSERVER not in Gateway > # smtp One per second limt -burst rate of FIVE > $IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s > --limit-burst 5 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP > $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT I don't think this will ever match. You accept 1 conn/sec on dport 25/tcp. Connections at a higher rate than 1/sec are DROPped. So what's left to accept? > $IPTABLES -A INPUT -m state --state NEW -p tcp -m multiport --dports > 110,995,443,80,53 -j ACCEPT Are you running a DNS server for the internet that only allows tcp connections? > #OUTPUT RULES > $IPTABLES -A OUTPUT -o lo -j ACCEPT I hadn't read all of the above yet, but this can be a (the) problem. You only allow outgoing packets that use the lo interface. So, you may get incoming packets from another host, but nothing will ever get out via the actual network interfaces. > #FORWARD RULES > $IPTABLES -A FORWARD -m state --state INVALID -j DROP Try with a simple ruleset first. If it works, you add more rules or change them to be even more restrictive (but still let things work as they should). $ipt -P INPUT DROP $ipt -P OUTPUT DROP $ipt -P FORWARD DROP $ipt -F $ipt -X $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -N NEW_IN # ssh in for LAN_IP1 $ipt -A NEW_IN -s $LAN_IP1 -p tcp --dport 22 -j ACCEPT # ssh in for LAN_IP2 $ipt -A NEW_IN -s $LAN_IP2 -p tcp --dport 22 -j ACCEPT # smtp in $ipt -A NEW_IN -p tcp --dport 25 -j ACCEPT # http in $ipt -A NEW_IN -p tcp --dport 80 -j ACCEPT # pop3 in $ipt -A NEW_IN -p tcp --dport 110 -j ACCEPT # https in $ipt -A NEW_IN -p tcp --dport 443 -j ACCEPT # pop3s in $ipt -A NEW_IN -p tcp --dport 995 -j ACCEPT # unknown service1 in for the LAN $ipt -A NEW_IN -s $LAN_NET -p tcp --dport 5666 -j ACCEPT # unknown service2 in for the LAN $ipt -A NEW_IN -s $LAN_NET -p tcp --dport 10000 -j ACCEPT $ipt -A INPUT -i lo -j ACCEPT $ipt -A INPUT -m state --state NEW -j NEW_IN $ipt -N NEW_OUT # smtp out $ipt -A NEW_OUT -p tcp --dport 25 -j ACCEPT # dns out (tcp) $ipt -A NEW_OUT -p tcp --dport 53 -j ACCEPT # dns out (udp) $ipt -A NEW_OUT -p udp --dport 53 -j ACCEPT # icmp out $ipt -A NEW_OUT -p icmp -j ACCEPT $ipt -A OUTPUT -o lo -j ACCEPT $ipt -A OUTPUT -m state --state NEW -j NEW_OUT I think this should get you going. If it doesn't, place some logging rules where appropriate to see where things are allowed or denied. Grts, Rob - To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
