Re: limiting port 25 to an IP
On Saturday 23 October 2004 19:03, W.D.McKinney wrote:
> We need to limit port 25 on one MTA server to a single /28 pool of
> addresses. So I need to have the rule to accept the traffic from the /28
> and only through port 25.
Your questions have confused people ...
Some people thought that you meant "How do I make my MTA *listen* on only a
single IP address?", this would be in contrast to most MTAs default behaviour
of listening on 0.0.0.0:25.
Other people have thought that you meant "How do I make my MTA accept
connections *from* only one specific IP?". I believe that was your intent
though it was certainly unclear in the original posting.
> iptables -A INPUT -p tcp -s IP.YOU.WANT.TO.ACCEPT --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j REJECT
Assuming you're talking about accepting port 25 connections from a limit range
of addresses then yes, you can use iptables and that would be the syntax.
Someone else has suggested using shorewall for managing your firewalling
policies, you may want to check that out, it is a great tool.
Why would you want to limit connections to just a /28? If you just want to
limit who can relay through your server iptables is a pretty heavy-handed way
of achieving this, the better way IMO would be to add the /28 network to
those allowed to relay, in postfix that would probably be accomplished with a
config line like this:
mynetworks = 127.0.0.0/8, 192.168.0.0/28
Most MTAs have built in access controls that are flexible enough to
accommodate changing rules. Unless you never foresee changes to your network
learn the proper tool (your MTA) to implement rules, iptables rules are a
yes/no proposition and you'll regret using it instead of learning how to use
the MTA.
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
Reply to: