From: "Dharmendra T." <dharmu@nsecure.net>
To: netfilter@lists.netfilter.org
Subject: Re: Bridge/VPN question.
Date: 23 Jun 2004 15:00:20 +0530 [thread overview]
Message-ID: <1087983028.7624.55.camel@dharmu.nsecure.net> (raw)
In-Reply-To: <200406231008.40635.Antony@Soft-Solutions.co.uk>
On Wed, 2004-06-23 at 14:38, Antony Stone wrote:
> On Wednesday 23 June 2004 9:42 am, Dharmendra T. wrote:
>
> > Hi,
> >
> > Are there any other rules you have defined? If no, this may work:
> >
> > iptables -P INPUT DROP
> > iptables -P OUTPUT DROP
> > iptables -P FORWARD DROP
> >
> > iptables -A FORWARD -o eth0 -p tcp -m tcp -d <approved mail server>
> > --dport 25 -j ACCEPT
> > iptables -A OUTPUT -o eth0 -p tcp -m tcp -d <approved mail server>
> > --dport 25 -j ACCEPT
>
> The above rules (if you are propsing them as a complete ruleset) are a highly
> secure system - nothing will get through it, and nothing will get to
> communicate with the box itself.
>
> Why?
>
> 1. You have a default DROP policy on FORWARD (good idea), and a rule allowing
> packets to TCP port 25 on a specific server, but no rule allowing replies
> back again. Therefore no traffic gets *through* the machine.
>
> 2. You have a default DROP policy on INPUT, and no rules in the INPUT chain
> allowing anything at all, therefore no packets can get in (which makes the
> rule in the OUTPUT chain allowing some packets out somewhat pointless).
>
> Regards,
>
> Antony.
>
> --
> "Black holes are where God divided by zero."
>
> - Steven Wright
>
> Please reply to the list;
> please don't CC me.
>
>
Yes I agree. But these rules were given assuming that the user has given
Required rulsets (Assuming means that the user can connect to the
approved mail server. Please check the last mail to which I replied).
Regards,
--
Dharmendra T.
Linux Security and Admin,
www.nsecure.net
This message is intended for the addressee only. It may contain
privileged or confidential information. If you have received
this message in error, please notify the sender and destroy the message
immediately. Unauthorised use or reproduction of
this message is strictly prohibited.
next prev parent reply other threads:[~2004-06-23 9:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-22 14:32 Bridge/VPN question Anthony R. Vallario
2004-06-23 8:42 ` Dharmendra T.
2004-06-23 9:08 ` Antony Stone
2004-06-23 9:30 ` Dharmendra T. [this message]
2004-06-23 9:40 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1087983028.7624.55.camel@dharmu.nsecure.net \
--to=dharmu@nsecure.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.