iptables question - how to securely allow *just* outgoing smtp

iptables question - how to securely allow *just* outgoing smtp

[Christian Seberino]

My firewall does *not* need or use any
rules on INPUT and OUTPUT chains
since it just *FORWARD*s packets to/from
private LAN.....

I'd like to install Tripwire on firewall
and have firewall *email* me daily of status.....

How can I securely *open* up firewall rules
to allow me to just email out without
compromising security???

Thanks,

Chris

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

Re: iptables question - how to securely allow *just* outgoing smtp

[Antony Stone]

On Friday 21 June 2002 4:32 pm, Christian Seberino wrote:

> My firewall does *not* need or use any
> rules on INPUT and OUTPUT chains
> since it just *FORWARD*s packets to/from
> private LAN.....
>
> I'd like to install Tripwire on firewall
> and have firewall *email* me daily of status.....
>
> How can I securely *open* up firewall rules
> to allow me to just email out without
> compromising security???

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A OUTPUT -p tcp --dport 25 -d aa.bb.cc.dd -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -s aa.bb.cc.dd -m state --state 
ESTABLISHED,RELATED -j ACCEPT

where aa.bb.cc.dd is the IP address of your mail server.

 

Antony.

Re: iptables question - how to securely allow *just* outgoing smtp

[Christian Seberino]

Antony

Wow, thanks! This answer was like a laser - direct
and to the point.

Even if I just want to *send* email I still
need the *INPUT* part right? In other words, I don't suppose
*just* the following will allow firewall to send email will it??

iptables -A OUTPUT -p tcp --dport 25 -d aa.bb.cc.dd -j ACCEPT


*If* I do need the INPUT part, can I *just* allow
the ESTABLISHED and *not* the RELATED???? RELATED
would only be necessary if smtp needed multiple new ports
for incoming right???

Thanks again,

Chris

P.S. One more thing if you don't mind....

I *could* define $SSH_PORT and $SMPT_PORT but
doesn't iptables recognize ssh and smtp /already/
as 22 and 25?




On Fri, Jun 21, 2002 at 04:35:31PM +0100, Antony Stone wrote:
> On Friday 21 June 2002 4:32 pm, Christian Seberino wrote:
> 
> > My firewall does *not* need or use any
> > rules on INPUT and OUTPUT chains
> > since it just *FORWARD*s packets to/from
> > private LAN.....
> >
> > I'd like to install Tripwire on firewall
> > and have firewall *email* me daily of status.....
> >
> > How can I securely *open* up firewall rules
> > to allow me to just email out without
> > compromising security???
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -p tcp --dport 25 -d aa.bb.cc.dd -j ACCEPT
> iptables -A INPUT -p tcp --sport 25 -s aa.bb.cc.dd -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> 
> where aa.bb.cc.dd is the IP address of your mail server.
> 
>  
> 
> Antony.

-- 
_______________________________________

Dr. Christian Seberino
SPAWAR Systems Center San Diego
Code 2363
53560 Hull Street
San Diego, CA 92152-5001
U.S.A.

Phone: (619) 553-7940
Fax:   (619) 553-2836
Email: seberino@spawar.navy.mil
_______________________________________

Re: iptables question - how to securely allow *just* outgoing smtp

[Antony Stone]

On Saturday 22 June 2002 6:28 pm, Christian Seberino wrote:

> Antony
>
> Even if I just want to *send* email I still
> need the *INPUT* part right? In other words, I don't suppose
> *just* the following will allow firewall to send email will it??
>
> iptables -A OUTPUT -p tcp --dport 25 -d aa.bb.cc.dd -j ACCEPT

No, that on its own will only allow outbound packets, and will not allow 
returning replies.   You need both for a successful connection, even if the 
email is only going out.

> *If* I do need the INPUT part, can I *just* allow
> the ESTABLISHED and *not* the RELATED???? RELATED
> would only be necessary if smtp needed multiple new ports
> for incoming right???

I included the RELATED state just in case you get some ICMP packets saying a 
connection failed etc.

> P.S. One more thing if you don't mind....
>
> I *could* define $SSH_PORT and $SMPT_PORT but
> doesn't iptables recognize ssh and smtp /already/
> as 22 and 25?

What would you define SSH_PORT as ?   22, presumably ?

I'm not quite sure I understand your question.   SSH runs on TCP port 22, so 
if you want an iptables rule to allow SSH, you could write it using the 
number 22, or the variable $SSH_PORT, where SSH_PORT is defined as 22, or you 
could use $BANANA, where BANANA is defined as 22.....

So long as the rule ends up allowing TCP packets on port 22, how you specify 
it comes down to readability and style.

 

Antony.

Re: iptables question - how to securely allow *just* outgoing smtp

[Alin Nastac]

Christian Seberino wrote:

> I *could* define $SSH_PORT and $SMPT_PORT but
> doesn't iptables recognize ssh and smtp /already/
> as 22 and 25?

iptables recognise all ports names from /etc/services. You could use
--dport ssh instead --dport 22. Still, you must add before that -p tcp.
Without that, iptables cannot interpret --dport.