Blocking ports for outsider

Blocking ports for outsider

[Tarak Ranjan]

Hi,
    I have a mail server which has two interface eth0[internal],
eth1[external]. i want certain ports like 25, 110, 995 will be open for
outsider as wel as local, and some port 10000, 5666 , will be open for
local only.. , if anyone help me out regarding this...

i'm a mail-system guy,so i'm not very much aware of iptables rules, if
anyone give me some documentation links for Mailling System related
iptables documentation, that will be helpful for me

Thank you



Tarak Ranjan

Blocking ports for outsider

[Tarak Ranjan]

Hi,
    I have a mail server which has two interface eth0[internal],
eth1[external]. i want certain ports like 25, 110, 995 will be open for
outsider as wel as local, and some port 10000, 5666 , will be open for
local only.. , if anyone help me out regarding this...

i'm a mail-system guy,so i'm not very much aware of iptables rules, if
anyone give me some documentation links for Mailling System related
iptables documentation, that will be helpful for me

Thank you



Tarak Ranjan

RE: Blocking ports for outsider

[Rob Sterenborg]

> Hi,
>     I have a mail server which has two interface eth0[internal],
> eth1[external]. i want certain ports like 25, 110, 995 will
> be open for
> outsider as wel as local, and some port 10000, 5666 , will be open for
> local only.. , if anyone help me out regarding this...
>
> i'm a mail-system guy,so i'm not very much aware of iptables rules, if
> anyone give me some documentation links for Mailling System related
> iptables documentation, that will be helpful for me

It's best practice to have everything closed and just open up the ports
(to specific IP's) where needed.

$LAN could be the network address you're using or a specific IP.

$ipt -P INPUT DROP
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -m state --state NEW -i lo -j ACCEPT
$ipt -A INPUT -m state --state NEW -p tcp -m multiport \
  --dports 25,110,995 -j ACCEPT
$ipt -A INPUT -m state --state NEW -s $LAN -p tcp \
  -m multiport --dports 5666,10000 -j ACCEPT

If you don't have the multiport match, you can do this instead:

$ipt -P INPUT DROP
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -m state --state NEW -i lo -j ACCEPT
$ipt -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
$ipt -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
$ipt -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT
$ipt -A INPUT -m state --state NEW -s $LAN -p tcp \
  --dport 5666 -j ACCEPT
$ipt -A INPUT -m state --state NEW -s $LAN -p tcp \
  --dport 10000 -j ACCEPT

As you can see the latter do the same rules as the first rules, there
are just more rules to process.

Oskar Andreasson wrote a good iptables tutorial.
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


Grts,
Rob

RE: Blocking ports for outsider

[Tarak Ranjan]

On Mon, 2008-02-11 at 14:52 +0100, Rob Sterenborg wrote:
> >     I have a mail server which has two interface eth0[internal],
> > eth1[external]. i want certain ports like 25, 110, 995 will
> > be open for
> > outsider as wel as local, and some port 10000, 5666 , will be open for
> > local only.. , if anyone help me out regarding this...
> >
> > i'm a mail-system guy,so i'm not very much aware of iptables rules, if
> > anyone give me some documentation links for Mailling System related
> > iptables documentation, that will be helpful for me

> $ipt -P INPUT DROP
> $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $ipt -A INPUT -m state --state NEW -i lo -j ACCEPT
> $ipt -A INPUT -m state --state NEW -p tcp -m multiport \
>   --dports 25,110,995 -j ACCEPT
> $ipt -A INPUT -m state --state NEW -s $LAN -p tcp \
>   -m multiport --dports 5666,10000 -j ACCEPT

i have made one iptables rule set for my mailserver, but the thing is
that what i want from my rules, it's not responding in that way i
want... might be some thing wrong with my ruleset. 


1) Locally incoming ssh should be allowed from 2 local ips
2) 25, 110, 995, 80, 443 should be open for 0/0.
3) 10000, 5666 should be open for LAN[192.168.1.0/24] Network

Those are the things i want..... Here is my ruleset in my MAILSERVER not
in Gateway

# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X


$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT

#$IPTABLES can determine which of these three “states” a packet is
in.This can be #represented by three rules:
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state
NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"

$IPTABLES -A INPUT -m state --state INVALID -j DROP

# smtp  One per second limt -burst rate of FIVE
$IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s
--limit-burst 5 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp -m multiport --dports
110,995,443,80,53 -j ACCEPT
#Ports Allow For 192.168.1.0 Network 783-spamassassin, 3310-clamd ports
$IPTABLES -A INPUT -m state --state NEW -s $LAN -p tcp -m multiport
--dports 5666,10000 -j ACCEPT
#Kill all packets from Outside world claiming to be packets generated
from Internal network.
$IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j REJECT
#Enable SSH and TELNET From 210 & 123
$IPTABLES -A INPUT -p tcp  -s 192.168.1.7 -d $MAIL_IP --dport 22 -j
ACCEPT

#OUTPUT RULES
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#FORWARD RULES
$IPTABLES -A FORWARD -m state --state INVALID -j DROP



reg,

Tarak

RE: Blocking ports for outsider

[Rob Sterenborg]

> i have made one iptables rule set for my mailserver, but the thing is
> that what i want from my rules, it's not responding in that way i
> want... might be some thing wrong with my ruleset.
>
>
> 1) Locally incoming ssh should be allowed from 2 local ips
> 2) 25, 110, 995, 80, 443 should be open for 0/0.
> 3) 10000, 5666 should be open for LAN[192.168.1.0/24] Network
>
> Those are the things i want..... Here is my ruleset in my
> MAILSERVER not in Gateway

> # smtp  One per second limt -burst rate of FIVE
> $IPTABLES -A INPUT -p tcp --dport 25 --syn -m limit --limit 1/s
> --limit-burst 5 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 25 --syn -j DROP
> $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT

I don't think this will ever match. You accept 1 conn/sec on dport
25/tcp. Connections at a higher rate than 1/sec are DROPped. So what's
left to accept?

> $IPTABLES -A INPUT -m state --state NEW -p tcp -m multiport --dports
> 110,995,443,80,53 -j ACCEPT

Are you running a DNS server for the internet that only allows tcp
connections?

> #OUTPUT RULES
> $IPTABLES -A OUTPUT -o lo -j ACCEPT

I hadn't read all of the above yet, but this can be a (the) problem. You
only allow outgoing packets that use the lo interface. So, you may get
incoming packets from another host, but nothing will ever get out via
the actual network interfaces.

> #FORWARD RULES
> $IPTABLES -A FORWARD -m state --state INVALID -j DROP

Try with a simple ruleset first. If it works, you add more rules or
change them to be even more restrictive (but still let things work as
they should).

$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

$ipt -F
$ipt -X

$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$ipt -N NEW_IN
# ssh in for LAN_IP1
$ipt -A NEW_IN -s $LAN_IP1 -p tcp --dport 22 -j ACCEPT
# ssh in for LAN_IP2
$ipt -A NEW_IN -s $LAN_IP2 -p tcp --dport 22 -j ACCEPT
# smtp in
$ipt -A NEW_IN -p tcp --dport 25 -j ACCEPT
# http in
$ipt -A NEW_IN -p tcp --dport 80 -j ACCEPT
# pop3 in
$ipt -A NEW_IN -p tcp --dport 110 -j ACCEPT
# https in
$ipt -A NEW_IN -p tcp --dport 443 -j ACCEPT
# pop3s in
$ipt -A NEW_IN -p tcp --dport 995 -j ACCEPT
# unknown service1 in for the LAN
$ipt -A NEW_IN -s $LAN_NET -p tcp --dport 5666 -j ACCEPT
# unknown service2 in for the LAN
$ipt -A NEW_IN -s $LAN_NET -p tcp --dport 10000 -j ACCEPT

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -m state --state NEW -j NEW_IN

$ipt -N NEW_OUT
# smtp out
$ipt -A NEW_OUT -p tcp --dport 25 -j ACCEPT
# dns out (tcp)
$ipt -A NEW_OUT -p tcp --dport 53 -j ACCEPT
# dns out (udp)
$ipt -A NEW_OUT -p udp --dport 53 -j ACCEPT
# icmp out
$ipt -A NEW_OUT -p icmp -j ACCEPT

$ipt -A OUTPUT -o lo -j ACCEPT
$ipt -A OUTPUT -m state --state NEW -j NEW_OUT


I think this should get you going. If it doesn't, place some logging
rules where appropriate to see where things are allowed or denied.


Grts,
Rob