[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: limiting port 25 to an IP



On Saturday 23 October 2004 19:03, W.D.McKinney wrote:

> We need to limit port 25 on one MTA server to a single /28 pool of
> addresses. So I need to have the rule to accept the traffic from the /28
> and only through port 25.

Your questions have confused people ...

Some people thought that you meant "How do I make my MTA *listen* on only a 
single IP address?", this would be in contrast to most MTAs default behaviour 
of listening on 0.0.0.0:25.

Other people have thought that you meant "How do I make my MTA accept 
connections *from* only one specific IP?".  I believe that was your intent 
though it was certainly unclear in the original posting.

> iptables -A INPUT -p tcp -s IP.YOU.WANT.TO.ACCEPT --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j REJECT

Assuming you're talking about accepting port 25 connections from a limit range 
of addresses then yes, you can use iptables and that would be the syntax.  
Someone else has suggested using shorewall for managing your firewalling 
policies, you may want to check that out, it is a great tool.

Why would you want to limit connections to just a /28?  If you just want to 
limit who can relay through your server iptables is a pretty heavy-handed way 
of achieving this, the better way IMO would be to add the /28 network to 
those allowed to relay, in postfix that would probably be accomplished with a 
config line like this:

    mynetworks = 127.0.0.0/8, 192.168.0.0/28

Most MTAs have built in access controls that are flexible enough to 
accommodate changing rules.  Unless you never foresee changes to your network 
learn the proper tool (your MTA) to implement rules, iptables rules are a 
yes/no proposition and you'll regret using it instead of learning how to use 
the MTA.

-- 
Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux



Reply to: