On Wednesday, 18.05.2005 at 14:14 +0200, Samuel Díaz García wrote:
1) I wrote in the first line: "... somethiing as this ...".
2) Me, as you, have the same info about the system in question.
3) I wrote something that can help to solve the problem.
... but that also raises inconsistencies. i.e. you can't use *both* and
INPUT and a FORWARD rule - depending on the location of the mail server,
one needs to use *one* of those rules.
4) If you have the knowledge and the time, put all the posible cases and put
an answer that can cover all posible cases.
Well, it's hard to answer properly when there is insufficient
information: I'm not sure your suggestion would work at all, regardless
of the original poster's setup.
Continued in your response:
Dave Ewart writes:
On Wednesday, 18.05.2005 at 11:37 +0200, Samuel Díaz García wrote:
You need something as this in your linux router/firewall box:
#!/bin/sh
ip_mail_srv=a.b.c.d
iptables -t filter -A INPUT -d $ip_mail_srv -p tcp --dport 25 --syn -j
ACCEPT
iptables -t filter -A INPUT -p tcp --dport 25 --syn -j DROP
That doesn't look right. If the mail server is NOT the same system as
the firewall, then nothing will pass on the INPUT chain to the firewall
destined for the mail server.
Do you know where is the smtp server? I don't, I only put 2 options.
OK, fair enough, although it's not clear that these were actually
options ...
#the same in FORWARD chain:
iptables -t filter -A FORWARD -d $ip_mail_srv -p tcp --dport 25 --syn -j
ACCEPT
iptables -t filter -A FORWARD -p tcp --dport 25 --syn -j DROP
The first of the above two rules will work partly, but won't allow any SMTP
traffic *from* the mail server back out ...
Well, 2 solutions (or more):
1) delete "--syn"
2) use the tipical "RELATED, ESTABLISHED" rule about.
3) Propose you some solution more.
I'll happily supply a solution if the original poster provides more
information.
Dave.